Skip to content

Masking configuration values irrelevant to DAG author #43040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kaxil merged 16 commits into from
Oct 23, 2024
Merged

Masking configuration values irrelevant to DAG author #43040

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
ed9f74b
Masking configuration values irrelevant to DAG author
amoghrajesh Oct 15, 2024
ad52d25
example UT
Oct 16, 2024
e5c46cf
writing UTs
Oct 16, 2024
ead1bf3
writing UTs
amoghrajesh Oct 16, 2024
963e438
Merge branch 'main' into redactConfs
amoghrajesh Oct 16, 2024
c03ccfc
removing UTs
amoghrajesh Oct 16, 2024
5d2313e
temp commit
amoghrajesh Oct 16, 2024
3acbe7f
changing the logic to mask from conf.sensitive_config_values instead
amoghrajesh Oct 16, 2024
ab6309c
adding UT
amoghrajesh Oct 16, 2024
3f765fc
Merge branch 'main' into redactConfs
amoghrajesh Oct 16, 2024
459709f
updating log
amoghrajesh Oct 16, 2024
afe2ac3
updating log and test cases
amoghrajesh Oct 16, 2024
5e975c9
review comments from ash
amoghrajesh Oct 22, 2024
fab6428
Merge branch 'main' into redactConfs
amoghrajesh Oct 22, 2024
af80e4e
Apply suggestions from code review
ashb Oct 22, 2024
e7b9a36
using @conf_vars
amoghrajesh Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions airflow/configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -772,6 +772,21 @@ def _create_future_warning(name: str, section: str, current_value: Any, new_valu
stacklevel=3,
)

def mask_secrets(self):
from airflow.utils.log.secrets_masker import mask_secret

for section, key in self.sensitive_config_values:
try:
value = self.get(section, key)
except AirflowConfigException:
log.debug(
"Could not retrieve value from section %s, for key %s. Skipping redaction of this conf.",
section,
key,
)
continue
mask_secret(value)

def _env_var_name(self, section: str, key: str) -> str:
return f"{ENV_VAR_PREFIX}{section.replace('.', '_').upper()}__{key.upper()}"

Expand Down
3 changes: 3 additions & 0 deletions airflow/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,9 @@ def initialize():
configure_orm()
configure_action_logging()

# mask the sensitive_config_values
conf.mask_secrets()

# Run any custom runtime checks that needs to be executed for providers
run_providers_custom_runtime_checks()

Expand Down
15 changes: 15 additions & 0 deletions tests/core/test_configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1763,3 +1763,18 @@ def test_config_paths_is_directory(self):

with pytest.raises(IsADirectoryError, match="configuration file, but got a directory"):
write_default_airflow_configuration_if_needed()

@conf_vars({("mysection1", "mykey1"): "supersecret1", ("mysection2", "mykey2"): "supersecret2"})
@patch.object(
conf,
"sensitive_config_values",
new_callable=lambda: [("mysection1", "mykey1"), ("mysection2", "mykey2")],
)
@patch("airflow.utils.log.secrets_masker.mask_secret")
def test_mask_conf_values(self, mock_mask_secret, mock_sensitive_config_values):
conf.mask_secrets()

mock_mask_secret.assert_any_call("supersecret1")
mock_mask_secret.assert_any_call("supersecret2")

assert mock_mask_secret.call_count == 2