Noël BARDELOT created AIRFLOW-6773:
--------------------------------------
Summary: Creating users with Airflow CLI leaves the password in
clear text in the logs
Key: AIRFLOW-6773
URL: https://issues.apache.org/jira/browse/AIRFLOW-6773
Project: Apache Airflow
Issue Type: Bug
Components: cli, webserver
Affects Versions: 1.10.9
Reporter: Noël BARDELOT
Leaving password in clear text in logs should be considered a security issue.
Note: the command 'create_user' is sensitive and should probably not be logged
at all in my opinion if there is no simple way of obfuscating the password.
Steps to reproduce:
# create a user using `airflow create_user` and providing the password using
`--password`
# go to the _Browse / Logs_ view of the UI
# find the creation log containing the password in clear text
The log entry looks like this:
{{{"host_name": "airflow-web-774c65857f-drgsm", "full_command":
"['/usr/local/bin/airflow', 'create_user', '--role', 'Viewer', '--username',
'viewer', '--email', 'viewer-lo...@example.com', '--firstname', 'viewer',
'--lastname', 'airflow', '--password', 'secret']"}}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
