[GitHub] [airflow] potiuk commented on issue #16614: Connection password not being masked in default logging

[GitBox <gi...@apache.org>]

potiuk commented on issue #16614:
URL: https://github.com/apache/airflow/issues/16614#issuecomment-1019328079


   Glad that you sorted it out.
   
   > I gotta say I am surprised by this behavior. I did not expect the secrets to show up in the pytest logs by default.
   
   The logs are redacted specifically to account for task logs for users and  UI visibility. This is by design, deliberate and documneted.
   
   Comment in our code:
   
   ```
   # By default this is off, but is automatically configured on when running task
   # instances
   MASK_SECRETS_IN_LOGS = False
   ```
   
   Our documentation is very clear about this behaviour:
   
   https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/mask-sensitive-values.html
   
   > Airflow will by default mask Connection passwords and sensitive Variables and keys from a Connection’s extra (JSON) field when they appear in **Task logs**, in the **Variable** and in the **Rendered fields views** of the UI.
   
   So I do not find it surprising really. 
   
   Also It would be quite unreasonble and possibly even not possible to expect that secret masking is "general feature" enabled whenever you run python interpreter and perform an entrypoint that might or might not initialize secret masking (this is what your expectation is about pretty much). This is a feature of "airflow" application, and not "running arbitrary part of airflow code". 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org