You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Noël BARDELOT (Jira)" <ji...@apache.org> on 2020/02/11 13:55:00 UTC
[jira] [Commented] (AIRFLOW-6773) Creating users with Airflow CLI
leaves the password in clear text in the logs
[ https://issues.apache.org/jira/browse/AIRFLOW-6773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034458#comment-17034458 ]
Noël BARDELOT commented on AIRFLOW-6773:
----------------------------------------
See also AIRFLOW-6774
> Creating users with Airflow CLI leaves the password in clear text in the logs
> -----------------------------------------------------------------------------
>
> Key: AIRFLOW-6773
> URL: https://issues.apache.org/jira/browse/AIRFLOW-6773
> Project: Apache Airflow
> Issue Type: Bug
> Components: cli, webserver
> Affects Versions: 1.10.9
> Reporter: Noël BARDELOT
> Priority: Minor
>
> Leaving password in clear text in logs should be considered a security issue.
> Note: the command 'create_user' is sensitive and should probably not be logged at all in my opinion if there is no simple way of obfuscating the password.
> Steps to reproduce:
> # create a user using `airflow create_user` and providing the password using `--password`
> # go to the _Browse / Logs_ view of the UI
> # find the creation log containing the password in clear text
> The log entry looks like this:
> {{{"host_name": "airflow-web-774c65857f-drgsm", "full_command": "['/usr/local/bin/airflow', 'create_user', '--role', 'Viewer', '--username', 'viewer', '--email', 'viewer-local@example.com', '--firstname', 'viewer', '--lastname', 'airflow', '--password', 'secret']"}}}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)