Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Masking configuration values irrelevant to DAG author (#43040) #43336

Merged
merged 1 commit into from
Oct 24, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions airflow/configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -851,6 +851,21 @@ def _create_future_warning(name: str, section: str, current_value: Any, new_valu
stacklevel=3,
)

def mask_secrets(self):
from airflow.utils.log.secrets_masker import mask_secret

for section, key in self.sensitive_config_values:
try:
value = self.get(section, key)
except AirflowConfigException:
log.debug(
"Could not retrieve value from section %s, for key %s. Skipping redaction of this conf.",
section,
key,
)
continue
mask_secret(value)

def _env_var_name(self, section: str, key: str) -> str:
return f"{ENV_VAR_PREFIX}{section.replace('.', '_').upper()}__{key.upper()}"

Expand Down
3 changes: 3 additions & 0 deletions airflow/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -790,6 +790,9 @@ def initialize():
configure_orm()
configure_action_logging()

# mask the sensitive_config_values
conf.mask_secrets()

# Run any custom runtime checks that needs to be executed for providers
run_providers_custom_runtime_checks()

Expand Down
15 changes: 15 additions & 0 deletions tests/core/test_configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -1785,3 +1785,18 @@ def test_config_paths_is_directory(self):

with pytest.raises(IsADirectoryError, match="configuration file, but got a directory"):
write_default_airflow_configuration_if_needed()

@conf_vars({("mysection1", "mykey1"): "supersecret1", ("mysection2", "mykey2"): "supersecret2"})
@patch.object(
conf,
"sensitive_config_values",
new_callable=lambda: [("mysection1", "mykey1"), ("mysection2", "mykey2")],
)
@patch("airflow.utils.log.secrets_masker.mask_secret")
def test_mask_conf_values(self, mock_mask_secret, mock_sensitive_config_values):
conf.mask_secrets()

mock_mask_secret.assert_any_call("supersecret1")
mock_mask_secret.assert_any_call("supersecret2")

assert mock_mask_secret.call_count == 2
Loading