You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Neil Patel (JIRA)" <ji...@apache.org> on 2019/07/09 22:16:00 UTC
[jira] [Commented] (AIRFLOW-4923) Databricks hook leaks API secret
in logs
[ https://issues.apache.org/jira/browse/AIRFLOW-4923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16881591#comment-16881591 ]
Neil Patel commented on AIRFLOW-4923:
-------------------------------------
I can take this
> Databricks hook leaks API secret in logs
> ----------------------------------------
>
> Key: AIRFLOW-4923
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4923
> Project: Apache Airflow
> Issue Type: Bug
> Components: contrib, hooks
> Affects Versions: 1.10.3
> Reporter: Zen Yui
> Priority: Major
> Labels: security
>
> The databricks operator logs API keys during task instance run. The databricksĀ operator implementation encourages users to put their API key in the connection "extra" field ([link to docstring|https://github.com/apache/airflow/blob/1.10.3/airflow/contrib/operators/databricks_operator.py#L201-L204]), and its accompanying databricks hook invokes BaseHook.get_connection(), which logs that "extra" field in plaintext via the [models.Connection.debug_info method|https://github.com/apache/airflow/blob/1.10.3/airflow/models/connection.py#L271-L280].
> Links:
> * [BaseHook.get_connection|https://github.com/apache/airflow/blob/1.10.3/airflow/hooks/base_hook.py#L69-L84]
> * [DatabricksHook constructor invoking get_connection|https://github.com/apache/airflow/blob/1.10.3/airflow/contrib/hooks/databricks_hook.py#L65]
> * [BaseHook.debug_info|https://github.com/apache/airflow/blob/1.10.3/airflow/models/connection.py#L271-L280]
> One potential fix would be to allow the operator to emit bearer token headers if the token is saved to the password field and/or a flag is set in "extra".
> As an immediate workaround, users can just specify the username and API token as the password and the API appears to work.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)