You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2023/01/05 22:46:32 UTC
[GitHub] [airflow] wolfier opened a new issue, #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only``
wolfier opened a new issue, #28756:
URL: https://github.com/apache/airflow/issues/28756
### Apache Airflow version
2.5.0
### What happened
In [Airflow 2.4.0](https://github.com/apache/airflow/blob/main/RELEASE_NOTES.rst#airflow-240-2022-09-19), a new feature was added that added an option to mask sensitive data in UI configuration page ([PR](https://github.com/apache/airflow/pull/25346)). I have set `AIRFLOW__WEBSERVER__EXPOSE_CONFIG` as `NON-SENSITIVE-ONLY`.
The feature is working partially as the `airflow.cfg` file display only has [sensitive configurations](https://github.com/apache/airflow/blob/2.5.0/airflow/configuration.py#L149-L160) marked as `< hidden >`. However, the `Running Configuration` table below the file display has all configuration set via environment variables marked as `< hidden >` which I believe is unintended.
I did not change `airflow.cfg` so the value here is displaying the default value of `False` as expected.
The value for `expose_config` I expect to be shown as `NON-SENSITIVE-ONLY` but it shown as `< hidden >`.
### What you think should happen instead
As mentioned previously, the value for `expose_config` I expect to be shown as `NON-SENSITIVE-ONLY`.
Only the [sensitive variables](https://github.com/apache/airflow/blob/2.5.0/airflow/configuration.py#L149-L160) should be set as `< hidden >`.
### How to reproduce
Set an Airflow configuration through the environment variable and check on the Configuration page.
### Operating System
n/a
### Versions of Apache Airflow Providers
n/a
### Deployment
Astronomer
### Deployment details
n/a
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ephraimbuddy closed issue #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only`
Posted by GitBox <gi...@apache.org>.
ephraimbuddy closed issue #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only`
URL: https://github.com/apache/airflow/issues/28756
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ephraimbuddy commented on issue #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only`
Posted by GitBox <gi...@apache.org>.
ephraimbuddy commented on issue #28756:
URL: https://github.com/apache/airflow/issues/28756#issuecomment-1373246327
I think we should hide this in `_include_envs` so it's same as `_include_cmds` & `_include_secrets`:
```diff
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 41778fe374..df393da6e6 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -1149,7 +1149,8 @@ class AirflowConfigParser(ConfigParser):
if not display_sensitive and env_var != self._env_var_name("core", "unit_test_mode"):
# Don't hide cmd/secret values here
if not env_var.lower().endswith("cmd") and not env_var.lower().endswith("secret"):
- opt = "< hidden >"
+ if (section, key) in self.sensitive_config_values:
+ opt = "< hidden >"
elif raw:
opt = opt.replace("%", "%%")
(END)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only`
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #28756:
URL: https://github.com/apache/airflow/issues/28756#issuecomment-1373217271
Would you like to take a stab on it @wolfier ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] uranusjr commented on issue #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only`
Posted by GitBox <gi...@apache.org>.
uranusjr commented on issue #28756:
URL: https://github.com/apache/airflow/issues/28756#issuecomment-1373251278
I searched for `as_dict` usages and this is the only place where `display_sensitive` is False, so I think we should simply incorporate `SENSITIVE_CONFIG_VALUES` as Ephraim said. Otherwise the flag is basically useless.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] wolfier commented on issue #28756: All Airflow Configurations set via Environment Variable are masked when `expose_config` is set as `non-sensitive-only`
Posted by GitBox <gi...@apache.org>.
wolfier commented on issue #28756:
URL: https://github.com/apache/airflow/issues/28756#issuecomment-1372933160
I believe the issue is because when the configuration is [fetched as a dictionary](https://github.com/apache/airflow/blob/2.5.0/airflow/www/views.py#L3838-L3842), the values have already been hidden because `display_sensitive` is passed as `False`. The dictionary is built by calling [_include_envs](https://github.com/apache/airflow/blob/2.5.0/airflow/configuration.py#L1012) which hides any configuration that does not end with `_cmd` and `_secret`.
Instead, `conf.as_dict` should be passed with `display_sensitive` as `True`. That way, all configurations are not hidden and can be selectively hidden with `SENSITIVE_CONFIG_VALUES`.
```python
conf_dict = conf.as_dict(True, True)
for sect, key in SENSITIVE_CONFIG_VALUES:
if sect in conf_dict and key in conf_dict[sect]:
value, source = conf_dict[sect][key]
conf_dict[sect][key] = ("< hidden >", source)
table = [
(section, key, str(value), source)
for section, parameters in conf_dict.items()
for key, (value, source) in parameters.items()
]
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org