You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/10/19 05:36:00 UTC

[GitHub] [airflow] ashishraman opened a new issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

ashishraman opened a new issue #11649:
URL: https://github.com/apache/airflow/issues/11649


   
   **Apache Airflow version**: 1.10.12
   
   
   **Kubernetes version (if you are using kubernetes)** (use `kubectl version`): 1.17
   
   **Environment**:
   
   - **Cloud provider or hardware configuration**: AWS EKS
   
   **What happened**:
   When spawning a worker pod, the scheduler injects the sql alchemy string as plain text in environment variables
   
   <code>
   Environment:
         AIRFLOW__CORE__DAGS_FOLDER:       /usr/local/airflow/dags/
         AIRFLOW__CORE__EXECUTOR:          LocalExecutor
         AIRFLOW__CORE__SQL_ALCHEMY_CONN:  postgresql+psycopg2://<<Redacted>>:5432/airflow_db
   </code>
   
   Anyone with a read permission can describe the pod and get the credentials. 
   
   **What you expected to happen**:
   The variable is passed as secret. It can either be manually set by the user or by the scheduler.
   
   
   **How to reproduce it**:
   Use KubernetesExecutor with PythonOperator. The new pod spawned by scheduler has the env variables AIRFLOW__CORE__SQL_ALCHEMY_CONN in plain text. I tried AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD as well but when the scheduler spawns the worker pod it sends down AIRFLOW__CORE__SQL_ALCHEMY_CONN in plain text
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ashishraman commented on issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

Posted by GitBox <gi...@apache.org>.

ashishraman commented on issue #11649:
URL: https://github.com/apache/airflow/issues/11649#issuecomment-754431902


   Any update on this?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] github-actions[bot] commented on issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #11649:
URL: https://github.com/apache/airflow/issues/11649#issuecomment-1003218163


   This issue has been closed because it has not received response from the issue author.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] boring-cyborg[bot] commented on issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #11649:
URL: https://github.com/apache/airflow/issues/11649#issuecomment-711604449


   Thanks for opening your first issue here! Be sure to follow the issue template!
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] github-actions[bot] closed issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

Posted by GitBox <gi...@apache.org>.

github-actions[bot] closed issue #11649:
URL: https://github.com/apache/airflow/issues/11649


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] github-actions[bot] commented on issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #11649:
URL: https://github.com/apache/airflow/issues/11649#issuecomment-999951299


   This issue has been automatically marked as stale because it has been open for 30 days with no response from the author. It will be closed in next 7 days if no further activity occurs from the issue author.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] mik-laj commented on issue #11649: SQLAlchemy string is passed to worker pod in plain text as env var

Posted by GitBox <gi...@apache.org>.

mik-laj commented on issue #11649:
URL: https://github.com/apache/airflow/issues/11649#issuecomment-756048934


   @ashishraman Can you check if this problem also occurs when you use option [`pod_template_file`](http://apache-airflow-docs.s3-website.eu-central-1.amazonaws.com/docs/apache-airflow/latest/configurations-ref.html#config-kubernetes-pod-template-file) to configure KubernetesExecutor?  I guess this maybe should give you enough flexibility to configure a worker to use a secret.
   
   When you use the pod_template_file option, the worker gets a configuration similar to the rest of the components.
   https://github.com/apache/airflow/blob/308f1d06668ad427fd2483077d8e60f55ee617e6/chart/files/pod-template-file.kubernetes-helm-yaml#L35
   https://github.com/apache/airflow/blob/3188b130b5f61332e24c340ac6c0569efa4e8056/chart/templates/_helpers.yaml#L26
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org