You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Raj Sasidharan (JIRA)" <ji...@apache.org> on 2019/07/01 15:52:00 UTC
[jira] [Commented] (AIRFLOW-4576) Rendered Template &
email_on_failure displays password variable in clear text
[ https://issues.apache.org/jira/browse/AIRFLOW-4576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876290#comment-16876290 ]
Raj Sasidharan commented on AIRFLOW-4576:
-----------------------------------------
Hi [~doncode]:
# DAG code is below which shows Airflow Variables being passed as credentials to the shell script that needs to run
# The screenshot of UI's rendered template displaying password in clear text is attached.
+*dummy_dag.py*+
{color:#654982}_from airflow import DAG_{color}
{color:#654982}_from datetime import datetime, timedelta_{color}
{color:#654982}_from airflow.contrib.operators.ssh_operator import SSHOperator_{color}
{color:#654982}_default_args = {_{color}
{color:#654982} _'owner': 'airflow',_{color}
{color:#654982} _'depends_on_past': False,_{color}
{color:#654982} _'start_date': datetime(2019, 6, 30),_{color}
{color:#654982} _'email': ['airflow@example.com'],_{color}
{color:#654982} _'email_on_failure': False,_{color}
{color:#654982} _'email_on_retry': False,_{color}
{color:#654982} _'retries': 1,_{color}
{color:#654982} _'retry_delay': timedelta(minutes=5),_{color}
{color:#654982}_}_{color}
{color:#654982}_dag = DAG('dummy_dag', default_args=default_args, schedule_interval=timedelta(minutes=60))_{color}
{color:#654982}_dummy_script_task = SSHOperator(_{color}
{color:#654982} _task_id='dummy_script_task',_{color}
{color:#654982} _ssh_conn_id='talend_tac_server',_{color}
{color:#654982} _command='/home/ec2-user/dummy_script.sh \{{ var.value.script_password }}',_{color}
{color:#654982} _do_xcom_push=True,_{color}
{color:#654982} _dag=dag)_{color}
!dag_rendered_template.JPG!
> Rendered Template & email_on_failure displays password variable in clear text
> -----------------------------------------------------------------------------
>
> Key: AIRFLOW-4576
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4576
> Project: Apache Airflow
> Issue Type: Bug
> Components: ui
> Affects Versions: 1.10.3
> Environment: Linux
> Reporter: Raj Sasidharan
> Priority: Critical
> Attachments: dag_rendered_template.JPG
>
>
> I have a DAG with a SSHOperator, which uses a ssh_conn_id to run the below command. As shown below, I am using Airflow Variables to pass credentials to the script that needs to run.
> *tac_job_run_command = "\{{ var.value.tac_metaservlet_path }}/MetaServletAirflowCaller.sh --tac-url=http://\{{ var.value.tac_server_ip }}:8080/tac/ --json-params='\{\"authPass\":\"{{ var.value.tac_tadmin_password }}\",\"authUser\":\"tadmin@abc.com\",\"taskId\":\{{ ti.xcom_pull(\"get_tac_job_id\")[0] }}}' "*
> The password variable (tac_tadmin_password), in the UI's variables screen shows as ***** and all works good, but once the job has run, the SSHOperator task's Rendered Template section displays the command with the variable values and also displays the password (tac_tadmin_password) in clear text. Is there any way we can avoid this or is this an issue that needs to be fixed?
> If the DAG fails, I have email_on_failure set to True, and the email also ends up displaying the rendered template with password in clear text.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)