You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/06/19 06:30:26 UTC
[GitHub] [airflow] Marloxo opened a new pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Marloxo opened a new pull request #9397:
URL: https://github.com/apache/airflow/pull/9397
---
Make sure to mark the boxes below before creating PR: [x]
- [x] Description above provides context of the change
- [x] Unit tests coverage for changes (not needed for documentation changes)
- [x] Target Github ISSUE in description if exists
- [x] Commits follow "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)"
- [x] Relevant documentation is updated including usage instructions.
- [x] I will engage committers as explained in [Contribution Workflow Example](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#contribution-workflow-example).
this PR addressed the following issue: https://github.com/apache/airflow/issues/9372
basically it's adding support for additional labels from the configuration so users can extend the matching of sensitive keywords in variables name.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#discussion_r443017078
##########
File path: airflow/www/utils.py
##########
@@ -39,23 +39,28 @@
from airflow.www.forms import DateTimeWithTimezoneField
from airflow.www.widgets import AirflowDateTimePickerWidget
-DEFAULT_SENSITIVE_VARIABLE_FIELDS = (
+DEFAULT_SENSITIVE_VARIABLE_FIELDS = {
'password',
'secret',
'passwd',
'authorization',
'api_key',
'apikey',
'access_token',
-)
+}
def should_hide_value_for_key(key_name):
# It is possible via importing variables from file that a key is empty.
if key_name:
- config_set = conf.getboolean('admin',
- 'hide_sensitive_variable_fields')
- field_comp = any(s in key_name.lower() for s in DEFAULT_SENSITIVE_VARIABLE_FIELDS)
+ config_set = conf.getboolean('admin', 'hide_sensitive_variable_fields')
+
+ sensitive_variable_fields = conf.get('admin', 'sensitive_variable_fields')
+
+ if sensitive_variable_fields:
+ DEFAULT_SENSITIVE_VARIABLE_FIELDS.update(sensitive_variable_fields.split(','))
Review comment:
This will cause this variable to be updated each time this method is called. I think it's enough for this to happen only once.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#discussion_r443121459
##########
File path: docs/security.rst
##########
@@ -421,3 +421,15 @@ the new key to the ``fernet_key`` setting, run
#. Set ``fernet_key`` to ``new_fernet_key,old_fernet_key``
#. Run ``airflow rotate_fernet_key`` to re-encrypt existing credentials with the new fernet key
#. Set ``fernet_key`` to ``new_fernet_key``
+
+Sensitive Variable fields
+-------------------------
+
+By default, Airflow Value of a variable will be hidden if the key contains any words in
+(‘password’, ‘secret’, ‘passwd’, ‘authorization’, ‘api_key’, ‘apikey’, ‘access_token’), but can be configured
Review comment:
Can you add description for hide_sensitive_variable_fields option here also?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on pull request #9397: Add options to extend list of sensitive keywords
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646990607
Awesome work, congrats on your first merged pull request!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646474932
sure, I will take a look and update here
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646536323
You should use tests.test_utils.config.conf_vars decorator and check different cases. I would be happy if you would use parameterized to easily check many cases.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo commented on a change in pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo commented on a change in pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#discussion_r443122304
##########
File path: docs/security.rst
##########
@@ -421,3 +421,15 @@ the new key to the ``fernet_key`` setting, run
#. Set ``fernet_key`` to ``new_fernet_key,old_fernet_key``
#. Run ``airflow rotate_fernet_key`` to re-encrypt existing credentials with the new fernet key
#. Set ``fernet_key`` to ``new_fernet_key``
+
+Sensitive Variable fields
+-------------------------
+
+By default, Airflow Value of a variable will be hidden if the key contains any words in
+(‘password’, ‘secret’, ‘passwd’, ‘authorization’, ‘api_key’, ‘apikey’, ‘access_token’), but can be configured
Review comment:
Sure, updated
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646835717
Can you also add docs to https://airflow.readthedocs.io/en/latest/security.html?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646534777
@mik-laj no worries, any advice what tests I shall add ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646533958
@Marloxo Sorry. I wanted to publish it in another PR.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj edited a comment on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj edited a comment on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646536323
You should use tests.test_utils.config.conf_vars decorator and check the configration option and return value. I would be happy if you would use parameterized to easily check many cases.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#discussion_r443016525
##########
File path: airflow/config_templates/config.yml
##########
@@ -1678,6 +1678,13 @@
type: string
example: ~
default: "True"
+ - name: sensitive_variable_fields
+ description: |
+ Sensitive keywords to look for in variables names
Review comment:
```suggestion
A comma-separated list of sensitive keywords to look for in variables names.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo commented on a change in pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo commented on a change in pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#discussion_r443120846
##########
File path: airflow/www/utils.py
##########
@@ -39,23 +39,28 @@
from airflow.www.forms import DateTimeWithTimezoneField
from airflow.www.widgets import AirflowDateTimePickerWidget
-DEFAULT_SENSITIVE_VARIABLE_FIELDS = (
+DEFAULT_SENSITIVE_VARIABLE_FIELDS = {
'password',
'secret',
'passwd',
'authorization',
'api_key',
'apikey',
'access_token',
-)
+}
def should_hide_value_for_key(key_name):
# It is possible via importing variables from file that a key is empty.
if key_name:
- config_set = conf.getboolean('admin',
- 'hide_sensitive_variable_fields')
- field_comp = any(s in key_name.lower() for s in DEFAULT_SENSITIVE_VARIABLE_FIELDS)
+ config_set = conf.getboolean('admin', 'hide_sensitive_variable_fields')
+
+ sensitive_variable_fields = conf.get('admin', 'sensitive_variable_fields')
+
+ if sensitive_variable_fields:
+ DEFAULT_SENSITIVE_VARIABLE_FIELDS.update(sensitive_variable_fields.split(','))
Review comment:
Good point
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#discussion_r443016525
##########
File path: airflow/config_templates/config.yml
##########
@@ -1678,6 +1678,13 @@
type: string
example: ~
default: "True"
+ - name: sensitive_variable_fields
+ description: |
+ Sensitive keywords to look for in variables names
Review comment:
```suggestion
Comma-separated list of sensitive keywords to look for in variables names.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj edited a comment on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj edited a comment on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646487216
Deleted
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj merged pull request #9397: Add options to extend list of sensitive keywords
Posted by GitBox <gi...@apache.org>.
mik-laj merged pull request #9397:
URL: https://github.com/apache/airflow/pull/9397
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
mik-laj commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646487216
I would be happy if you would create a ticket in the Kubernetes library and add a link in the comment. Connection problems in this case should be handled on the library side. If this is important to you, you can also ask for reviews of other Kubernetes contributors. This is open source, so every review is valuable.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646461437
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst)
Here are some useful points:
- Pay attention to the quality of your code (flake8, pylint and type annotations). Our [pre-commits]( https://github.com/apache/airflow/blob/master/STATIC_CODE_CHECKS.rst#prerequisites-for-pre-commit-hooks) will help you with that.
- In case of a new feature add useful documentation (in docstrings or in `docs/` directory). Adding a new operator? Check this short [guide](https://github.com/apache/airflow/blob/master/docs/howto/custom-operator.rst) Consider adding an example DAG that shows how users should use it.
- Consider using [Breeze environment](https://github.com/apache/airflow/blob/master/BREEZE.rst) for testing locally, it’s a heavy docker but it ships with a working Airflow and a lot of integrations.
- Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
- Be sure to read the [Airflow Coding style]( https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#coding-style-and-best-practices).
Apache Airflow is a community-driven project and together we are making it better 🚀.
In case of doubts contact the developers at:
Mailing List: dev@airflow.apache.org
Slack: https://apache-airflow-slack.herokuapp.com/
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646829722
@mik-laj I updated the PR with tests, would you please take a look.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo removed a comment on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo removed a comment on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646531838
@mik-laj Kubernetes library? I'm a bit lost here, I'm not using Kubernetes, it's just to hide variables value in Airflow UI 😅
not sure what Connection problems are you referring to, would you elaborate please
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Marloxo commented on pull request #9397: Add sensitive_variable_fields option to extend `DEFAULT_SENSITIVE_VARIABLE_FIELDS`
Posted by GitBox <gi...@apache.org>.
Marloxo commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-646531838
@mik-laj Kubernetes library? I'm a bit lost here, I'm not using Kubernetes, it's just to hide variables value in Airflow UI 😅
not sure what Connection problems are you referring to, would you elaborate please
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on pull request #9397: Add options to extend list of sensitive keywords
Posted by GitBox <gi...@apache.org>.
kaxil commented on pull request #9397:
URL: https://github.com/apache/airflow/pull/9397#issuecomment-647014123
The tests were failing for this PR, it broke Master. Created a PR to fix it: https://github.com/apache/airflow/pull/9446
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org