amoghrajesh commented on code in PR #43123:
URL: https://github.com/apache/airflow/pull/43123#discussion_r1805984111
##########
airflow/utils/cli.py:
##########
@@ -140,10 +141,17 @@ def _build_metrics(func_name, namespace):
:return: dict with metrics
"""
sub_commands_to_check = {"users", "connections"}
+ sub_commands_to_check_based_upon_key = {"variables"}
sensitive_fields = {"-p", "--password", "--conn-password"}
Review Comment:
Add a new structure called sensitive indexes and define that instead of
hardcoding here
##########
airflow/utils/cli.py:
##########
@@ -140,10 +141,17 @@ def _build_metrics(func_name, namespace):
:return: dict with metrics
"""
sub_commands_to_check = {"users", "connections"}
+ sub_commands_to_check_based_upon_key = {"variables"}
sensitive_fields = {"-p", "--password", "--conn-password"}
full_command = list(sys.argv)
sub_command = full_command[1] if len(full_command) > 1 else None
- if sub_command in sub_commands_to_check:
+ # For cases when value in variables have sensitive value
+ if sub_command in sub_commands_to_check_based_upon_key:
+ key = full_command[-2] if len(full_command) > 3 else None
Review Comment:
This is the full command right:
```
"full_command": "['/usr/local/bin/airflow', 'variables', 'set',
'--description', 'my-secret', 'client_secret_2149', '********']"}
```
So we need to get -1 of it since -1 would always be "value".
##########
airflow/utils/cli.py:
##########
@@ -140,10 +141,17 @@ def _build_metrics(func_name, namespace):
:return: dict with metrics
"""
sub_commands_to_check = {"users", "connections"}
Review Comment:
Let us add "variables" here
##########
tests/utils/test_cli_util.py:
##########
@@ -185,6 +185,47 @@ def test_get_dag_by_pickle(self, session, dag_maker):
with pytest.raises(AirflowException, match="pickle_id could not be
found .* -42"):
get_dag_by_pickle(pickle_id=-42, session=session)
+ @pytest.mark.parametrize(
+ ["given_command", "expected_masked_command"],
+ [
+ (
+ "airflow variables set --description 'needed for dag 4'
client_secret_234 7fh4375f5gy353wdf",
+ "airflow variables set --description 'needed for dag 4'
client_secret_234 ********",
+ ),
+ (
+ "airflow variables set cust_secret_234 7fh4375f5gy353wdf",
+ "airflow variables set cust_secret_234 ********",
Review Comment:
Let us add the description field too, otherwise it gives an intuition that
masking removes description.
##########
airflow/utils/cli.py:
##########
@@ -140,10 +141,17 @@ def _build_metrics(func_name, namespace):
:return: dict with metrics
"""
sub_commands_to_check = {"users", "connections"}
+ sub_commands_to_check_based_upon_key = {"variables"}
sensitive_fields = {"-p", "--password", "--conn-password"}
full_command = list(sys.argv)
sub_command = full_command[1] if len(full_command) > 1 else None
- if sub_command in sub_commands_to_check:
+ # For cases when value in variables have sensitive value
+ if sub_command in sub_commands_to_check_based_upon_key:
+ key = full_command[-2] if len(full_command) > 3 else None
Review Comment:
`airflow variables import` has a 4th parameter, so does many other commands,
they have lot of extra options. So better to check that its a `airflow
variables set` instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
