You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/04/06 10:14:32 UTC

[GitHub] [airflow] ashb commented on a diff in pull request #22754: Fix secrets rendered in UI when task is not executed.

ashb commented on code in PR #22754:
URL: https://github.com/apache/airflow/pull/22754#discussion_r843760613


##########
airflow/models/taskinstance.py:
##########
@@ -2069,15 +2069,27 @@ def get_rendered_template_fields(self, session: Session = NEW_SESSION) -> None:
                 setattr(self.task, field_name, rendered_value)
             self.task = task
             return
+
         try:
-            self.render_templates()
+            # Task was never executed. Initialize RenderedTaskInstanceFields
+            # to render template and mask secrets. Set MASK_SECRETS_IN_LOGS
+            # to True to enable masking similar to task run.
+            original_value = settings.MASK_SECRETS_IN_LOGS
+            settings.MASK_SECRETS_IN_LOGS = True

Review Comment:
   ```python
   def mask_secret(secret: Union[str, dict, Iterable], name: Optional[str] = None) -> None:
       """
       Mask a secret from appearing in the task logs.
   
       If ``name`` is provided, then it will only be masked if the name matches
       one of the configured "sensitive" names.
   
       If ``secret`` is a dict or a iterable (excluding str) then it will be
       recursively walked and keys with sensitive names will be hidden.
       """
       # Delay import
       from airflow import settings
   
       # Filtering all log messages is not a free process, so we only do it when
       # running tasks
       if not settings.MASK_SECRETS_IN_LOGS or not secret:
           return
   
       _secrets_masker().add_mask(secret, name)
   ```
   
   If that is False nothing is added to the masker.
   
   I agree, we should change that behaviour so that instead we always add things to the mask list, and only have the filter do anything if that setting is True.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org