You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by je...@apache.org on 2021/07/02 19:22:24 UTC

[airflow] branch main updated: Mask value if the key is ``token`` (#16474)

This is an automated email from the ASF dual-hosted git repository.

jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new d1d04fe  Mask value if the key is ``token`` (#16474)
d1d04fe is described below

commit d1d04fee8ded551c9fd0a13980feab27fbfc0cbe
Author: Robert Saxby <ro...@users.noreply.github.com>
AuthorDate: Fri Jul 2 21:21:56 2021 +0200

    Mask value if the key is ``token`` (#16474)
    
    Some connections (including the databricks connection) use the key 'token' in the 'extra' field (this has always been the case). Including it here so that these sensitive tokens are also masked by default.
    
    The prior implementation just masked all of the 'extra' json: "XXXXXXXX" if conn.extra_dejson else None https://github.com/apache/airflow/blob/88199eefccb4c805f8d6527bab5bf600b397c35e/airflow/hooks/base.py#L78
---
 airflow/utils/log/secrets_masker.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/airflow/utils/log/secrets_masker.py b/airflow/utils/log/secrets_masker.py
index 25aa754..537ee07 100644
--- a/airflow/utils/log/secrets_masker.py
+++ b/airflow/utils/log/secrets_masker.py
@@ -42,6 +42,7 @@ DEFAULT_SENSITIVE_FIELDS = frozenset(
         'password',
         'private_key',
         'secret',
+        'token',
     }
 )
 """Names of fields (Connection extra, Variable key name etc.) that are deemed sensitive"""