This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch v2-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v2-10-test by this push:
new e97d2b11e54 Masking configuration values irrelevant to DAG author
(#43040) (#43336)
e97d2b11e54 is described below
commit e97d2b11e547358c61b96c760206dc4eb4587659
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu Oct 24 02:27:15 2024 +0200
Masking configuration values irrelevant to DAG author (#43040) (#43336)
Some configurations are irrelevant to DAG authors and hence we need to mask
those to avoid it from getting logged unknowingly.
Co-authored-by: adesai <[email protected]>
Co-authored-by: Ash Berlin-Taylor <[email protected]>
(cherry picked from commit 0b030c562363dd924bbbee0793636be18deeabe3)
Co-authored-by: Amogh Desai <[email protected]>
---
airflow/configuration.py | 15 +++++++++++++++
airflow/settings.py | 3 +++
tests/core/test_configuration.py | 15 +++++++++++++++
3 files changed, 33 insertions(+)
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 618f5185db7..22e2c6abf70 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -851,6 +851,21 @@ class AirflowConfigParser(ConfigParser):
stacklevel=3,
)
+ def mask_secrets(self):
+ from airflow.utils.log.secrets_masker import mask_secret
+
+ for section, key in self.sensitive_config_values:
+ try:
+ value = self.get(section, key)
+ except AirflowConfigException:
+ log.debug(
+ "Could not retrieve value from section %s, for key %s.
Skipping redaction of this conf.",
+ section,
+ key,
+ )
+ continue
+ mask_secret(value)
+
def _env_var_name(self, section: str, key: str) -> str:
return f"{ENV_VAR_PREFIX}{section.replace('.',
'_').upper()}__{key.upper()}"
diff --git a/airflow/settings.py b/airflow/settings.py
index dc24a2c5acc..7e9626d788f 100644
--- a/airflow/settings.py
+++ b/airflow/settings.py
@@ -790,6 +790,9 @@ def initialize():
configure_orm()
configure_action_logging()
+ # mask the sensitive_config_values
+ conf.mask_secrets()
+
# Run any custom runtime checks that needs to be executed for providers
run_providers_custom_runtime_checks()
diff --git a/tests/core/test_configuration.py b/tests/core/test_configuration.py
index 62548a3f266..b200d16baad 100644
--- a/tests/core/test_configuration.py
+++ b/tests/core/test_configuration.py
@@ -1785,3 +1785,18 @@ class TestWriteDefaultAirflowConfigurationIfNeeded:
with pytest.raises(IsADirectoryError, match="configuration file, but
got a directory"):
write_default_airflow_configuration_if_needed()
+
+ @conf_vars({("mysection1", "mykey1"): "supersecret1", ("mysection2",
"mykey2"): "supersecret2"})
+ @patch.object(
+ conf,
+ "sensitive_config_values",
+ new_callable=lambda: [("mysection1", "mykey1"), ("mysection2",
"mykey2")],
+ )
+ @patch("airflow.utils.log.secrets_masker.mask_secret")
+ def test_mask_conf_values(self, mock_mask_secret,
mock_sensitive_config_values):
+ conf.mask_secrets()
+
+ mock_mask_secret.assert_any_call("supersecret1")
+ mock_mask_secret.assert_any_call("supersecret2")
+
+ assert mock_mask_secret.call_count == 2
