[GitHub] [airflow] Taragolis commented on a diff in pull request #26162: DockerHook: obtain credentials and login to Amazon ECR

Tue, 06 Sep 2022 05:30:27 -0700 


Taragolis commented on code in PR #26162:
URL: https://github.com/apache/airflow/pull/26162#discussion_r963646036


##########
airflow/providers/docker/hooks/docker.py:
##########
@@ -66,46 +81,51 @@ def __init__(
 
         if not docker_conn_id:
             raise AirflowException('No Docker connection id provided')
-
-        conn = self.get_connection(docker_conn_id)
-
-        if not conn.host:
-            raise AirflowException('No Docker URL provided')
-        if not conn.login:
-            raise AirflowException('No username provided')
-        extra_options = conn.extra_dejson
-
+        self.docker_conn_id = docker_conn_id
         self.__base_url = base_url
         self.__version = version
         self.__tls = tls
         self.__timeout = timeout
-        if conn.port:
-            self.__registry = f"{conn.host}:{conn.port}"
-        else:
-            self.__registry = conn.host
-        self.__username = conn.login
-        self.__password = conn.password
-        self.__email = extra_options.get('email')
-        self.__reauth = extra_options.get('reauth') != 'no'
 
-    def get_conn(self) -> APIClient:
+    @cached_property
+    def api_client(self) -> APIClient:
+        """Create connection to docker host and login to the docker 
registries. (cached)"""
+        conn = self.get_connection(self.docker_conn_id)
         client = APIClient(
             base_url=self.__base_url, version=self.__version, tls=self.__tls, 
timeout=self.__timeout
         )
-        self.__login(client)
+
+        credential_helper = conn.extra_dejson.get("credential_helper")
+        if not credential_helper:
+            # If not specified credential helper than retrieve information 
from Connection.
+            credential_helper = AirflowConnectionDockerCredentialHelper
+            credential_helper_kwargs = {}
+        else:
+            credential_helper = import_string(credential_helper)

Review Comment:
   I still don't get the attack vector by `import_string` is it in any way 
required install/download on worker some exploits and import them? But in this 
case it much easier just import module by `import` statements.
   So it still required administrators privilege or access to DAG level 
deployment.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to