You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "t oo (Jira)" <ji...@apache.org> on 2019/09/10 19:28:00 UTC

[jira] [Updated] (AIRFLOW-5454) security - hide all password/secret/credentials/tokens from log

     [ https://issues.apache.org/jira/browse/AIRFLOW-5454?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

t oo updated AIRFLOW-5454:
--------------------------
    Description: 
I am proposing a new config flag. It will enforce a generic override in all airflow logging to suppress printing any lines containing case-insensitive match on any of: password|secret|credential|token

 

If you do a
{code:java}
grep -iE 'password|secret|credential|token' -R <airflow_logs_folder>{code}
you may be surprised with what you find :O

 

ideally could replace only the sensitive value but there are various formats like:  
{code:java}
key=value, key'=value, key value, key"=value, key = value, key"="value, key:value{code}
..etc

  was:
I am proposing a new config flag. It will enforce a generic override in all airflow logging to suppresses printing any lines containing case-insensitive match on any of: password|secret|credential|token

 

If you do a
{code:java}
grep -iE 'password|secret|credential|token' -R <airflow_logs_folder>{code}
you may be surprised with what you find :O

 

ideally could replace only the sensitive value but there are various formats like:  
{code:java}
key=value, key'=value, key value, key"=value, key = value, key"="value, key:value{code}
..etc


> security - hide all password/secret/credentials/tokens from log
> ---------------------------------------------------------------
>
>                 Key: AIRFLOW-5454
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-5454
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: logging, security
>    Affects Versions: 1.10.5
>            Reporter: t oo
>            Priority: Major
>
> I am proposing a new config flag. It will enforce a generic override in all airflow logging to suppress printing any lines containing case-insensitive match on any of: password|secret|credential|token
>  
> If you do a
> {code:java}
> grep -iE 'password|secret|credential|token' -R <airflow_logs_folder>{code}
> you may be surprised with what you find :O
>  
> ideally could replace only the sensitive value but there are various formats like:  
> {code:java}
> key=value, key'=value, key value, key"=value, key = value, key"="value, key:value{code}
> ..etc



--
This message was sent by Atlassian Jira
(v8.3.2#803003)