From dev-return-4655-archive-asf-public=cust-asf.ponee.io@airflow.incubator.apache.org Wed Mar 7 11:55:26 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 82791180656 for ; Wed, 7 Mar 2018 11:55:25 +0100 (CET) Received: (qmail 8818 invoked by uid 500); 7 Mar 2018 10:55:22 -0000 Mailing-List: contact dev-help@airflow.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@airflow.incubator.apache.org Delivered-To: mailing list dev@airflow.incubator.apache.org Received: (qmail 8237 invoked by uid 99); 7 Mar 2018 10:55:21 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Mar 2018 10:55:21 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 662AD180145 for ; Wed, 7 Mar 2018 10:55:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.879 X-Spam-Level: * X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id MwqWbMgsFGZ4 for ; Wed, 7 Mar 2018 10:55:19 +0000 (UTC) Received: from mail-ot0-f170.google.com (mail-ot0-f170.google.com [74.125.82.170]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 44C8A5F2EC for ; Wed, 7 Mar 2018 10:55:19 +0000 (UTC) Received: by mail-ot0-f170.google.com with SMTP id n74so1655027ota.1 for ; Wed, 07 Mar 2018 02:55:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Wo4ZqvERL6es60QNzyuulMx0cmbo3IdfPIsEKRyeYRw=; b=cUXqqPpJPbJNgYmJA+quwQ/mj2pnO0iFdIWH6NyFNlzK19DXDO2olIGjapwrhGaDtc qo82FCCtBspGkPoiHYy70M8UAbJKqCgay9fIKPE8mI9D3LAb4VzIZcWYmg+2a+KFaJ4n sAuxcKTbDwVwRgDcLu3ZlCkHBego0XfRPL8am8/M9cO7yzh7c+4k2Y8b35gU0fTVKkTE uihrGRWBqz52iUHlxNHJ4LGUz5+U7AJ0+g21aCOJNQzubJzSB/acroxGE802febefOGC eH16SOZZ0ha6iZiqeTcCktnF/YEVxns2nisR6F+exHCxSnUqdzkDbk/906iXv5doxdSg GCwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Wo4ZqvERL6es60QNzyuulMx0cmbo3IdfPIsEKRyeYRw=; b=EDW0/OEChhD/vzAFHXeOeByEtYMcoAu3MKrQQQQwIqzxfsf8O22Ie0GBwtcAnGrJGj 14AMLS+Psb/JU34afsb2/fFYqTMF6/R0BgHO1g/B0/4AohE/ut8mKgMHr0Tf8LF01wdQ df9GGUcBHDB/k9QrukjyP5esGAXEcAeIq4LKFa4Yj9rsRp9aDYs/fyKUUJxOjA6IkOVB l8DZIf/6qg3hFZOfBtUX/8ZWsbIgOTfRGX8xtQV/VHvDrE2idpv7XdE8DPCmajXSzT/8 aNh4Yo1pOYsr/PGK6xh+MHMnaN1SsHsSgMm1WjYcfFRxgcispU84QWy6f2dCBTuI4yEl iQRA== X-Gm-Message-State: AElRT7HtsSabFgxtUNsfxj00bVnNSjn9uF5ViMcJFG6g0c2wGv35mWIf erk+OAedkOd3kogmMHZKlzptzzrcVYA2MIlKEiX94Q== X-Google-Smtp-Source: AG47ELsP3XbNZMuap1o7YZmbCVWzpBZ1sGR43UtGyrK7DuXtxCj9zjVM+SFyORg2oetzeER+nQ45nuorEr4WOfxiuWo= X-Received: by 10.157.85.214 with SMTP id z22mr16026954oti.75.1520420118457; Wed, 07 Mar 2018 02:55:18 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Shah Altaf Date: Wed, 07 Mar 2018 10:55:07 +0000 Message-ID: Subject: Re: Recommended way of piping credentials / sensitive information on templated operators To: dev@airflow.incubator.apache.org Content-Type: multipart/alternative; boundary="94eb2c096c3c11f44c0566d06508" --94eb2c096c3c11f44c0566d06508 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Would like to hear a little more from others, or any recommendations around this. We've got other systems like SQL connections, SSH with user:pass, API tokens. Is there any recommended way to hide these from the output logs? On Mon, Feb 26, 2018 at 10:41 PM Hbw wrote: > Aws profiles on the workers - the creds are on the machines, but not > exposed. Boto/cli takes these profile names instead of access key/secret > for just this kind of use case. > > Sent from a device with less than stellar autocorrect > > > On Feb 26, 2018, at 1:22 PM, jeeyoung kim wrote: > > > > Hi everyone, > > > > I=E2=80=99m wondering how people work around accidentally writing crede= ntials on > > bash operator template page / logs. > > > > For example, I may have PostgreSQL operator to copy data into Redshift. > > > > COPY TABLE_NAME from 's3://.../something.manifest.json' > > access_key_id '{{ params.AWS_ACCESS_KEY }}' > > secret_access_key '{{ params.AWS_SECRET_KEY }}' > > > > Or a command that exports from mongo > > > > mongoexport \ > > --assertExists \ > > -h {{ connection.host }} \ > > {% if connection.login %} -u {{ connection.login }} {% endif %}\ > > {% if connection.get_password() %} -p {{ connection.get_password() > > }} {% endif %}\ > > -d {{ connection.schema }} > > ... > > > > However, when this operator is executed (or when the template is render= ed > > on the UI), the credentials are written to the log files / clearly > visible > > on the UI, which is problematic. > > > > There are many other cases where this can happen, and I=E2=80=99m wonde= ring what > is > > a solution for it. > > > > What would be ideal is: > > > > - Prevent credentials from accidentally being shown in =E2=80=9Cshow = rendered > > template=E2=80=9D screen. > > - Prevent credentials from being written to the logs. > > > > Thanks. > > > > -Jeeyoung Kim > > =E2=80=8B > --94eb2c096c3c11f44c0566d06508--