You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by as...@apache.org on 2021/05/17 22:22:26 UTC

[airflow] 02/02: Ensure that secrets are masked no matter what logging config is in use (#15899)

This is an automated email from the ASF dual-hosted git repository.

ash pushed a commit to branch v2-1-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit c7f469eb4bba74e7852e6efeaf53554f917b3f1e
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Mon May 17 23:21:17 2021 +0100

    Ensure that secrets are masked no matter what logging config is in use (#15899)
    
    And rather than only applying the filters for the current known remote
    backends, I have applied the filter to the task handler "globally" so
    that all task logs are filtered, even for custom remote back ends.
    
    (cherry picked from commit 7ea1b846574f9fcb3b939d2f8f31a515a4def646)
---
 airflow/logging_config.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/airflow/logging_config.py b/airflow/logging_config.py
index e827273..bfb1a11 100644
--- a/airflow/logging_config.py
+++ b/airflow/logging_config.py
@@ -53,9 +53,20 @@ def configure_logging():
         log.debug('Unable to load custom logging, using default config instead')
 
     try:
+        # Ensure that the password masking filter is applied to the 'task' handler
+        # no matter what the user did.
+        if 'filters' in logging_config and 'mask_secrets' in logging_config['filters']:
+            # But if they replace the logging config _entirely_, don't try to set this, it won't work
+            task_handler_config = logging_config['handlers']['task']
+
+            task_handler_config.setdefault('filters', [])
+
+            if 'mask_secrets' not in task_handler_config['filters']:
+                task_handler_config['filters'].append('mask_secrets')
+
         # Try to init logging
         dictConfig(logging_config)
-    except ValueError as e:
+    except (ValueError, KeyError) as e:
         log.error('Unable to load the config, contains a configuration error.')
         # When there is an error in the config, escalate the exception
         # otherwise Airflow would silently fall back on the default config