Re: [PR] feat(secrets_masker): add minimum secret length and skip masking for common terms [airflow]

Fri, 04 Apr 2025 01:53:53 -0700 


ashb commented on code in PR #48791:
URL: https://github.com/apache/airflow/pull/48791#discussion_r2028391642


##########
task-sdk/src/airflow/sdk/execution_time/secrets_masker.py:
##########
@@ -346,12 +351,29 @@ def add_mask(self, secret: str | dict | Iterable, name: 
str | None = None):
             for k, v in secret.items():
                 self.add_mask(v, k)
         elif isinstance(secret, str):
-            if not secret or (self._test_mode and secret in 
SECRETS_TO_SKIP_MASKING_FOR_TESTS):
+            if not secret:
+                return
+
+            if self._test_mode and secret.lower() in 
SECRETS_TO_SKIP_MASKING_FOR_TESTS:
+                return
+
+            if secret.lower() in SECRETS_TO_SKIP_MASKING:
+                return
+
+            if len(secret) < MIN_SECRET_LENGTH:
+                log.warning(
+                    "Skipping masking for a secret as it's too short (<%d 
chars)",
+                    MIN_SECRET_LENGTH,
+                    extra={self.ALREADY_FILTERED_FLAG: True},
+                )

Review Comment:
   This warning here will issue a warning _every time_ someone pulls a 
connection out with a short password. I so don't think this is useful warning. 
Perhaps only warning _once_ per process when a short password is detected



##########
task-sdk/src/airflow/sdk/execution_time/secrets_masker.py:
##########
@@ -66,6 +66,11 @@
 """Names of fields (Connection extra, Variable key name etc.) that are deemed 
sensitive"""
 
 SECRETS_TO_SKIP_MASKING_FOR_TESTS = {"airflow"}
+# Common terms that should be excluded from masking in production
+SECRETS_TO_SKIP_MASKING = {"airflow"}
+
+# Minimum length for a secret to be considered for masking
+MIN_SECRET_LENGTH = 5

Review Comment:
   These absolutely need to come from the config -- they cannot be hard coded



##########
task-sdk/src/airflow/sdk/execution_time/secrets_masker.py:
##########
@@ -66,6 +66,11 @@
 """Names of fields (Connection extra, Variable key name etc.) that are deemed 
sensitive"""
 
 SECRETS_TO_SKIP_MASKING_FOR_TESTS = {"airflow"}
+# Common terms that should be excluded from masking in production
+SECRETS_TO_SKIP_MASKING = {"airflow"}

Review Comment:
   If we are never masking Airflow we don't need both these sets



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to