Skip to content

Check if the lower of provided values are sensitives in config endpoint #34712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ephraimbuddy merged 4 commits into from
Oct 7, 2023
Merged

Check if the lower of provided values are sensitives in config endpoint #34712

ephraimbuddy merged 4 commits into from
Oct 7, 2023

Conversation

@hussein-awala
Copy link
Member

@hussein-awala hussein-awala commented Oct 2, 2023

No description provided.

@hussein-awala hussein-awala added this to the Airflow 2.7.2 milestone Oct 2, 2023
@hussein-awala hussein-awala requested a review from eladkal October 2, 2023 09:19
@boring-cyborg boring-cyborg bot added the area:API Airflow's REST/HTTP API label Oct 2, 2023
@hussein-awala hussein-awala added the type:bug-fix Changelog: Bug Fixes label Oct 2, 2023
@uranusjr
Copy link
Member

uranusjr commented Oct 3, 2023

We don’t currently normalise entries in sensitive_config_values to lowercase. Should we do that to ensure things are compared correctly?

ephraimbuddy
ephraimbuddy reviewed Oct 3, 2023
View reviewed changes
airflow/api_connexion/endpoints/config_endpoint.py
)

if (section, option) in conf.sensitive_config_values:
if (section.lower(), option.lower()) in conf.sensitive_config_values:
Copy link
Contributor

@ephraimbuddy ephraimbuddy Oct 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of this, I think we should do what we do in the webserver

airflow/airflow/www/views.py

Lines 3840 to 3845 in f349fda

updater = configupdater.ConfigUpdater()
updater.read(AIRFLOW_CONFIG)
for sect, key in conf.sensitive_config_values:
if updater.has_option(sect, key):
updater[sect][key].value = "< hidden >"
config = str(updater)
.

Copy link
Member Author

@hussein-awala hussein-awala Oct 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot fix the problem, because it checks if the value exists in the configuration as it is. But since we don't read any configuration from the user in this view, it's safe because all the configuration in both side (sensitive dict and configuration dict) are in low format.

Copy link
Member

@potiuk potiuk Oct 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @hussein-awala . I think the proposed way is right. The "www/views.py" code displays all the sections/options from the config and then then from sensitive_config_values. What we are preventing here is that differently cased section/option is passed by the user, so the source of section/key are not the config itself, but external to it. We can safely assume that the config has the right sections/keys (that's why the code in views.py works). But we cannot make the same assumption about the values passed by the user so we have to lowercase them.

@ephraimbuddy ephraimbuddy merged commit f044589 into apache:main Oct 7, 2023
ephraimbuddy pushed a commit that referenced this pull request Oct 7, 2023
@hussein-awala @ephraimbuddy
Check if the lower of provided values are sensitives in config endpoi…
a4a0b5d 
…nt (#34712)

* Check if the lower of provided values are sensitives in config endpoint

* update unit test

* ensure that all values in sensitive dict are in lower characters

(cherry picked from commit f044589)
@ephraimbuddy ephraimbuddy mentioned this pull request Oct 9, 2023
Closed
99 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@ephraimbuddy ephraimbuddy ephraimbuddy approved these changes

@eladkal eladkal Awaiting requested review from eladkal

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun

@uranusjr uranusjr Awaiting requested review from uranusjr

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API type:bug-fix Changelog: Bug Fixes

Projects

None yet

Milestone

Airflow 2.7.2

Development

Successfully merging this pull request may close these issues.

4 participants

@hussein-awala @uranusjr @potiuk @ephraimbuddy