[PR] fix: exclude JWT token from workload repr to prevent log exposure [airflow]

Thu, 05 Mar 2026 13:32:12 -0800 


SibtainOcn opened a new pull request, #62964:
URL: https://github.com/apache/airflow/pull/62964

   ## What
   
   Prevents JWT tokens from leaking into task logs by setting `repr=False` on 
the `token` field in `BaseWorkloadSchema`.
   
   Closes: #62428
   
   ## Why
   
   When workload objects are logged (e.g. `log.info('Executing workload', 
workload=workload)` in `execute_workload.py`), Pydantic's auto-generated 
`__repr__` includes all fields — including the raw JWT token. This is a 
security concern since tokens grant API access and should never appear in log 
output.
   
   The log output currently looks like:
   
   \\\
   ExecuteTask(token='eyJhbGciOi...full_token_here', ti=TaskInstance(...), ...)
   \\\
   
   ## How
   
   Uses Pydantic's built-in `Field(repr=False)` on the `token` field in 
`BaseWorkloadSchema` (the base class for all workload DTOs). This:
   
   1. **Excludes** the token from `repr()`/`str()` output — so it never appears 
in logs
   2. **Preserves** full access via `workload.token` — no functional change
   3. **Fixes all executors** at the model level — KubernetesExecutor, 
CeleryExecutor, ECS, etc.
   
   After the fix, log output shows:
   
   \\\
   ExecuteTask(ti=TaskInstance(...), dag_rel_path=..., type='ExecuteTask')
   \\\
   
   ## Comparison with #62782
   
   PR #62782 takes a different approach: it modifies the logging call sites to 
log individual fields and adds a structlog regex redactor. Our approach fixes 
the **root cause** at the model level (1 line change vs 4 files), ensuring the 
token is hidden from repr regardless of where or how the workload object is 
logged.
   
   Both approaches are valid and complementary — `Field(repr=False)` prevents 
the leak at the source, while a structlog redactor provides defense-in-depth.
   
   ## Changes
   
   - `airflow-core/src/airflow/executors/workloads/base.py`: Add `Field` 
import; set `repr=False` on `token` field
   - `airflow-core/tests/unit/executors/test_workloads.py`: Add regression test 
verifying token is excluded from repr
   - `airflow-core/newsfragments/62428.bugfix.rst`: Changelog entry
   
   ## Testing
   
   - Added unit test `test_token_excluded_from_workload_repr` that creates an 
`ExecuteTask` with a fake JWT and asserts `repr()` does not contain it
   - Verified locally with Pydantic 2.12.5


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to