You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Aizhamal Nurmamat kyzy (JIRA)" <ji...@apache.org> on 2019/05/18 02:46:01 UTC

[jira] [Updated] (AIRFLOW-3228) Airflow leaks Kubernetes credentials on exceptions

     [ https://issues.apache.org/jira/browse/AIRFLOW-3228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aizhamal Nurmamat kyzy updated AIRFLOW-3228:
--------------------------------------------
         Labels: kubernetes  (was: )
    Component/s:     (was: kubernetes)
                 operators

Moving to operators component, and labeling with kubernetes as part of the component refactor.

> Airflow leaks Kubernetes credentials on exceptions
> --------------------------------------------------
>
>                 Key: AIRFLOW-3228
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3228
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: operators
>    Affects Versions: 1.10.0
>            Reporter: James Meickle
>            Priority: Major
>              Labels: kubernetes
>
> I have a Kubernetes integration with Airflow using service account tokens, which are equivalent to passwords in risk/scope. We had an issue where one of our tokens had an appended newline, rendering it invalid. This led to the header leaking into the logs:
> {{[2018-10-17 20:30:44,355] {{models.py:1736}} ERROR - Invalid header value b'Bearer MY_KUBERNETES_TOKEN_HERE'
> Traceback (most recent call last):
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/airflow/models.py", line 1633, in _run_raw_task
>     result = task_copy.execute(context=context)
>   File "/home/airflow/src/plugins/moneytree/moneytree/operators/qbernetes_operators.py", line 331, in execute
>     get_logs=self.get_logs)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/airflow/contrib/kubernetes/pod_launcher.py", line 71, in run_pod
>     resp = self.run_pod_async(pod)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/airflow/contrib/kubernetes/pod_launcher.py", line 55, in run_pod_async
>     resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 6057, in create_namespaced_pod
>     (data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 6142, in create_namespaced_pod_with_http_info
>     collection_formats=collection_formats)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 321, in call_api
>     _return_http_data_only, collection_formats, _preload_content, _request_timeout)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 155, in __call_api
>     _request_timeout=_request_timeout)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 364, in request
>     body=body)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/rest.py", line 266, in POST
>     body=body)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/kubernetes/client/rest.py", line 166, in request
>     headers=headers)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/urllib3/request.py", line 72, in request
>     **urlopen_kw)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/urllib3/request.py", line 150, in request_encode_body
>     return self.urlopen(method, url, **extra_kw)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/urllib3/poolmanager.py", line 322, in urlopen
>     response = conn.urlopen(method, u.request_uri, **kw)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/urllib3/connectionpool.py", line 600, in urlopen
>     chunked=chunked)
>   File "/home/airflow/virtualenvs/airflow/lib/python3.5/site-packages/urllib3/connectionpool.py", line 354, in _make_request
>     conn.request(method, url, **httplib_request_kw)
>   File "/usr/lib/python3.5/http/client.py", line 1106, in request
>     self._send_request(method, url, body, headers)
>   File "/usr/lib/python3.5/http/client.py", line 1146, in _send_request
>     self.putheader(hdr, value)
>   File "/usr/lib/python3.5/http/client.py", line 1083, in putheader
>     raise ValueError('Invalid header value %r' % (values[i],))
> ValueError: Invalid header value b'Bearer MY_KUBERNETES_TOKEN_HERE'}}
> We should catch these errors and re-raise them without the secret value, since this isn't suitable for a production application.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)