[GitHub] [airflow] jurovee opened a new issue, #30039: Sensitive variable not masked in task logs when named with _ENCODED suffix

Sat, 11 Mar 2023 05:23:51 -0800 


jurovee opened a new issue, #30039:
URL: https://github.com/apache/airflow/issues/30039

   ### Apache Airflow version
   
   Other Airflow 2 version (please specify below)
   
   ### What happened
   
   **Airflow 2.4.3**
   
   Sensitive variables with a name like **ACCOUNT_PASSWORD_ENCODED** (for 
url-encoded versions of passwords) are not being masked properly in task logs 
or rendered templates.
   
   Each of these variables have in our case their counterparts of name 
**ACCOUNT_PASSWORD** and these are masked **without any issues**.
   
   `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` is set to **True** and I 
also tried to add custom field "encoded" or "password_encoded" or 
"PASSWORD_ENCODED" to `AIRFLOW__CORE__SENSITIVE_VAR_CONN_NAMES`, e.g.: 
   
   `AIRFLOW__CORE__SENSITIVE_VAR_CONN_NAMES: "encoded,password_encoded"`
   
   No impact on masking unfortunately.
   
   I also tried to run 
`airflow.utils.log.secrets_masker.should_hide_value_for_key('ACCOUNT_PASSWORD_ENCODED')`
 from Airflow container and it results in True, so no idea why it's not getting 
hidden.
   
   Could it be related to `%` characters in the variable value or something?
   
   ### What you think should happen instead
   
   Sensitive variables with a name like **ACCOUNT_PASSWORD_ENCODED** (for 
url-encoded versions of passwords) should be masked in Airflow logs or rendered 
templates as they contain a "magic" substring **PASSWORD**.
   
   ### How to reproduce
   
   Create a variable named **SOMETHING_PASSWORD_ENCODED** in your Airflow 
instance and try to use it in some task, e.g. BashOperator command echo 
{SOMETHING_PASSWORD_ENCODED}. Similarly create a variable without **_ENCODED** 
suffix and do the same. The first one is not being masked, the second one is.
   
   ### Operating System
   
   K8S Debian 10 Linux Container
   
   ### Versions of Apache Airflow Providers
   
   _No response_
   
   ### Deployment
   
   Other 3rd-party Helm chart
   
   ### Deployment details
   
   _No response_
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to