Noël BARDELOT created AIRFLOW-6773: --------------------------------------
Summary: Creating users with Airflow CLI leaves the password in clear text in the logs Key: AIRFLOW-6773 URL: https://issues.apache.org/jira/browse/AIRFLOW-6773 Project: Apache Airflow Issue Type: Bug Components: cli, webserver Affects Versions: 1.10.9 Reporter: Noël BARDELOT Leaving password in clear text in logs should be considered a security issue. Note: the command 'create_user' is sensitive and should probably not be logged at all in my opinion if there is no simple way of obfuscating the password. Steps to reproduce: # create a user using `airflow create_user` and providing the password using `--password` # go to the _Browse / Logs_ view of the UI # find the creation log containing the password in clear text The log entry looks like this: {{{"host_name": "airflow-web-774c65857f-drgsm", "full_command": "['/usr/local/bin/airflow', 'create_user', '--role', 'Viewer', '--username', 'viewer', '--email', 'viewer-lo...@example.com', '--firstname', 'viewer', '--lastname', 'airflow', '--password', 'secret']"}}} -- This message was sent by Atlassian Jira (v8.3.4#803005)