You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/08/13 15:30:45 UTC

[GitHub] [airflow] ppatel8-wooliex commented on issue #8421: Hide sensitive data in UI

ppatel8-wooliex commented on issue #8421:
URL: https://github.com/apache/airflow/issues/8421#issuecomment-898544856


   > aah I see, apologies @n4rk0o I should have read your description more carefully. Yes the Rendered UI Field currently exposes everything. We should have a way of hiding this.
   > 
   > I see two options here:
   > 
   > 1. Same as what @marcusianlevine described
   > 2. Have a flag in `airflow.cfg` to hide rendered `templated_fields` globally. Sometime though users would love to check if the field was rendered correctly and hence it acts as a good debugging tool.
   
   -----------------------------------------------------------------------------------------------------------------
   when you use vault to get the secret then before passing as params you can mask it. It will display as **** in log as well as rendered template.
   
   you can use the below code to mask the secret from the Vault.
   
   from airflow.utils.log.secrets_masker import mask_secret
   
   openssl_service_account_key_read_response = client.secrets.kv.read_secret_version(path=openssl_service_account_secret_path,mount_point=vault_mount_point)
   service_account_secret = openssl_service_account_key_read_response['data']['data'][openssl_service_account_key]
   mask_secret(service_account_secret)
   
         sample_commands=dedent('''
           set +x;
           pwd;
           cd /home/airflow/gcs/data/bin/
           chmod 775 -R .;
           ./bin/test.sh '{{ params.service_account_secret }}';
           ''')
           task_1 = BashOperator(
               task_id='',
               bash_command=sample_commands,
               params={
               'service_account_secret' : service_account_secret
               }
               )
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org