[
https://issues.apache.org/jira/browse/AIRFLOW-4576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876290#comment-16876290
]
Raj Sasidharan commented on AIRFLOW-4576:
-----------------------------------------
Hi [~doncode]:
# DAG code is below which shows Airflow Variables being passed as credentials
to the shell script that needs to run
# The screenshot of UI's rendered template displaying password in clear text
is attached.
+*dummy_dag.py*+
{color:#654982}_from airflow import DAG_{color}
{color:#654982}_from datetime import datetime, timedelta_{color}
{color:#654982}_from airflow.contrib.operators.ssh_operator import
SSHOperator_{color}
{color:#654982}_default_args = {_{color}
{color:#654982} _'owner': 'airflow',_{color}
{color:#654982} _'depends_on_past': False,_{color}
{color:#654982} _'start_date': datetime(2019, 6, 30),_{color}
{color:#654982} _'email': ['[email protected]'],_{color}
{color:#654982} _'email_on_failure': False,_{color}
{color:#654982} _'email_on_retry': False,_{color}
{color:#654982} _'retries': 1,_{color}
{color:#654982} _'retry_delay': timedelta(minutes=5),_{color}
{color:#654982}_}_{color}
{color:#654982}_dag = DAG('dummy_dag', default_args=default_args,
schedule_interval=timedelta(minutes=60))_{color}
{color:#654982}_dummy_script_task = SSHOperator(_{color}
{color:#654982} _task_id='dummy_script_task',_{color}
{color:#654982} _ssh_conn_id='talend_tac_server',_{color}
{color:#654982} _command='/home/ec2-user/dummy_script.sh \{{
var.value.script_password }}',_{color}
{color:#654982} _do_xcom_push=True,_{color}
{color:#654982} _dag=dag)_{color}
!dag_rendered_template.JPG!
> Rendered Template & email_on_failure displays password variable in clear text
> -----------------------------------------------------------------------------
>
> Key: AIRFLOW-4576
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4576
> Project: Apache Airflow
> Issue Type: Bug
> Components: ui
> Affects Versions: 1.10.3
> Environment: Linux
> Reporter: Raj Sasidharan
> Priority: Critical
> Attachments: dag_rendered_template.JPG
>
>
> I have a DAG with a SSHOperator, which uses a ssh_conn_id to run the below
> command. As shown below, I am using Airflow Variables to pass credentials to
> the script that needs to run.
> *tac_job_run_command = "\{{ var.value.tac_metaservlet_path
> }}/MetaServletAirflowCaller.sh --tac-url=http://\{{ var.value.tac_server_ip
> }}:8080/tac/ --json-params='\{\"authPass\":\"{{ var.value.tac_tadmin_password
> }}\",\"authUser\":\"[email protected]\",\"taskId\":\{{
> ti.xcom_pull(\"get_tac_job_id\")[0] }}}' "*
> The password variable (tac_tadmin_password), in the UI's variables screen
> shows as ***** and all works good, but once the job has run, the SSHOperator
> task's Rendered Template section displays the command with the variable
> values and also displays the password (tac_tadmin_password) in clear text. Is
> there any way we can avoid this or is this an issue that needs to be fixed?
> If the DAG fails, I have email_on_failure set to True, and the email also
> ends up displaying the rendered template with password in clear text.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
