You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/02/01 09:18:42 UTC

[GitHub] [airflow] potiuk commented on issue #17476: Sensitive variables don't get masked when rendered with airflow tasks test

potiuk commented on issue #17476:
URL: https://github.com/apache/airflow/issues/17476#issuecomment-1026627415


   > Actually, I think this might be more critical than it looks at first glance @potiuk. By running the `airflow tasks test ...` command through a BashOperator in a separate DAG, which tests the task from the DAG that Marc linked in the original issue, it's actually possible to display unmasked secrets through the Airflow Web UI.
   
   Why would you want to run "airflow tasks test" in DAG? Is this a valid casethat is likely? Maybe I am not understnding something, but I am not sure I see the case when it could be used in "production" in a valid scenario? 
   
   Just to give a bit of context  - there are many ways you could print the unmasked values for connections, variables, even secrets. For example you could easily launch a subprocess calling "python -c print(Connection.get('conn_id'))" or just running "airlfow connection list" a as a command to print unmasked paswords.  
   
   The way how  masking is done currently will not prevent this if the Connection is not used in the task before.  So "Masking" is not "total prevention" of showing the secret values, it just prevents from accidental printing of those in the "regular use cases".  There are many ways how DAG writer could print those and bypass secrets masker deliberately. So my question is - how likely and "normal" it is to run 'airlfow test" inside the "execute" method of a task. I think very unlikely.
   
   And BTW in the future when we implement DB-less mode and maybe even (as a follow up) we will further harden Airlfow to not be able to reach out to read Airflow DB at all, this might be more "hardened" but as of currently we have no mechanism to prevent the DAG writers to print any secret they want to the task log. That's simply impossible.  


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org