You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/04/17 09:57:12 UTC

[GitHub] [airflow] n4rk0o opened a new issue #8421: Hide sensitive data in UI

n4rk0o opened a new issue #8421: Hide sensitive data in UI
URL: https://github.com/apache/airflow/issues/8421
 
 
   **Description**
   
   I'm using Airflow for 2 years now and I have a plugin that get password for a specific account in a Vault and then push it through a XCOM to reuse it on another tasks.
   
   The fact is that if the value is sensitive like a password, I can't hide it in the UI except for XCOM if I add an underscore in the prefix name of the key value.
   
   Eg: **kwargs['ti'].xcom_push('key':'_password', 'value':'my_value')**
   
   But for rendered template UI page, I didn't find anything similar, so if I try to pull a XCOM, it will show the value in the UI and I want to avoid it.
   
   Maybe is it possible to add a condition in **https://github.com/apache/airflow/blob/master/airflow/www/views.py** after line **635**
   
   ```python
   elif template_field.startswith('_'):
       html_dict[template_field] = ("<pre><code>sensitive data will not be exposed here</pre></code>")
   ```
   
   **Use case / motivation**
   
   I know that I can use connections but in my case, and due to security politic in my company, we have to store it in a dedicated Vault.
   
   **Related Issues**
   
   N/A
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] boring-cyborg[bot] commented on issue #8421: Hide sensitive data in UI

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #8421: Hide sensitive data in UI
URL: https://github.com/apache/airflow/issues/8421#issuecomment-615157465
 
 
   Thanks for opening your first issue here! Be sure to follow the issue template!
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] n4rk0o commented on issue #8421: Hide sensitive data in UI

Posted by GitBox <gi...@apache.org>.

n4rk0o commented on issue #8421: Hide sensitive data in UI
URL: https://github.com/apache/airflow/issues/8421#issuecomment-615190998
 
 
   > Airflow 1.10.10 allows getting connections from a Vault: https://airflow.apache.org/blog/airflow-1.10.10/#allow-retrieving-airflow-connections-variables-from-various-secrets-backend
   > 
   > Does that help your use-case?
   
   So basically, with Airflow 1.10.10, if I configure the airflow.cfg to use Hashicorp Vault, I can use connections and variables as usual but instead of getting data from Airflow database, it will got it from Vault?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] kaxil commented on issue #8421: Hide sensitive data in UI

Posted by GitBox <gi...@apache.org>.

kaxil commented on issue #8421: Hide sensitive data in UI
URL: https://github.com/apache/airflow/issues/8421#issuecomment-615174481
 
 
   Airflow 1.10.10 allows getting connections from a Vault: https://airflow.apache.org/blog/airflow-1.10.10/#allow-retrieving-airflow-connections-variables-from-various-secrets-backend
   
   Does that help your use-case?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] kaxil commented on issue #8421: Hide sensitive data in UI

Posted by GitBox <gi...@apache.org>.

kaxil commented on issue #8421: Hide sensitive data in UI
URL: https://github.com/apache/airflow/issues/8421#issuecomment-615191959
 
 
   > > Airflow 1.10.10 allows getting connections from a Vault: https://airflow.apache.org/blog/airflow-1.10.10/#allow-retrieving-airflow-connections-variables-from-various-secrets-backend
   > > Does that help your use-case?
   > 
   > So basically, with Airflow 1.10.10, if I configure the airflow.cfg to use Hashicorp Vault, I can use connections and variables as usual but instead of getting data from Airflow database, it will got it from Vault?
   
   Exactly. Here is one of the guide: https://www.astronomer.io/guides/airflow-and-hashicorp-vault/ to test it out locally

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] kaxil edited a comment on issue #8421: Hide sensitive data in UI

Posted by GitBox <gi...@apache.org>.

kaxil edited a comment on issue #8421: Hide sensitive data in UI
URL: https://github.com/apache/airflow/issues/8421#issuecomment-615191959
 
 
   > > Airflow 1.10.10 allows getting connections from a Vault: https://airflow.apache.org/blog/airflow-1.10.10/#allow-retrieving-airflow-connections-variables-from-various-secrets-backend
   > > Does that help your use-case?
   > 
   > So basically, with Airflow 1.10.10, if I configure the airflow.cfg to use Hashicorp Vault, I can use connections and variables as usual but instead of getting data from Airflow database, it will got it from Vault?
   
   Exactly. Here is one of the guide: https://www.astronomer.io/guides/airflow-and-hashicorp-vault/ to test it out locally and following docs:
   
   - https://airflow.apache.org/docs/1.10.10/concepts.html#storing-variables-in-environment-variables
   - https://airflow.apache.org/docs/1.10.10/howto/use-alternative-secrets-backend.html#configuration

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services