You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/04/06 10:14:32 UTC
[GitHub] [airflow] ashb commented on a diff in pull request #22754: Fix secrets rendered in UI when task is not executed.
ashb commented on code in PR #22754:
URL: https://github.com/apache/airflow/pull/22754#discussion_r843760613
##########
airflow/models/taskinstance.py:
##########
@@ -2069,15 +2069,27 @@ def get_rendered_template_fields(self, session: Session = NEW_SESSION) -> None:
setattr(self.task, field_name, rendered_value)
self.task = task
return
+
try:
- self.render_templates()
+ # Task was never executed. Initialize RenderedTaskInstanceFields
+ # to render template and mask secrets. Set MASK_SECRETS_IN_LOGS
+ # to True to enable masking similar to task run.
+ original_value = settings.MASK_SECRETS_IN_LOGS
+ settings.MASK_SECRETS_IN_LOGS = True
Review Comment:
```python
def mask_secret(secret: Union[str, dict, Iterable], name: Optional[str] = None) -> None:
"""
Mask a secret from appearing in the task logs.
If ``name`` is provided, then it will only be masked if the name matches
one of the configured "sensitive" names.
If ``secret`` is a dict or a iterable (excluding str) then it will be
recursively walked and keys with sensitive names will be hidden.
"""
# Delay import
from airflow import settings
# Filtering all log messages is not a free process, so we only do it when
# running tasks
if not settings.MASK_SECRETS_IN_LOGS or not secret:
return
_secrets_masker().add_mask(secret, name)
```
If that is False nothing is added to the masker.
I agree, we should change that behaviour so that instead we always add things to the mask list, and only have the filter do anything if that setting is True.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org