airflow icon indicating copy to clipboard operation
airflow copied to clipboard
verified publisher icon apache

Microsoft Azure Connection: Service principal secret does not get masked when providing connection via URI environment variable

Open w0ut0 opened this issue 1 year ago • 5 comments

Apache Airflow Provider(s)

microsoft-azure

Versions of Apache Airflow Providers

apache-airflow-providers-microsoft-azure==9.0.0

Apache Airflow version

apache-airflow==2.8.1

Operating System

Ubuntu 22.04.3 LTS

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

What happened

I set the connection as follows:

export AIRFLOW_CONN_AZURE_DEFAULT='azure://<sp-appid>:<sp-secret>?tenantId=<my-tenant>&subscriptionId=<my-subscription>'

As sp-secret is a password, I would assume it is masked from task logs. However, this is not the case.

I see 2 possible reasons:

  • There is no concept of hostname (so no @fqdn), which the masking feature might filter on?
  • There are special characters in the password field. In my case, the following characters are used: UPPERCASE, lowercase, ~ - _

What you think should happen instead

The log should render:

AIRFLOW_CONN_AZURE_DEFAULT=azure://<sp-appid>:***?tenantId=<my-tenant>&subscriptionId=<my-subscription>'

just like it does with for example postgresql connection.

How to reproduce

Add the connection (does not even need to make sense) as environment variables:

export AIRFLOW_CONN_AZURE_DEFAULT='azure://<sp-appid>:<sp-secret>?tenantId=<my-tenant>&subscriptionId=<my-subscription>'

Create simple DAG to print environment variables

Anything else

I have tried adding a fake hostname x by modifying the string to

export AIRFLOW_CONN_AZURE_DEFAULT='azure://<sp-appid>:<sp-secret>@x?tenantId=<my-tenant>&subscriptionId=<my-subscription>'

This still prints the secret unmasked.

Are you willing to submit PR?

  • [ ] Yes I am willing to submit a PR!

Code of Conduct

w0ut0 avatar Mar 14 '24 10:03 w0ut0

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

boring-cyborg[bot] avatar Mar 14 '24 10:03 boring-cyborg[bot]

Please fix this issue

zwelgbeer avatar Mar 14 '24 11:03 zwelgbeer

Probably same issue as https://github.com/apache/airflow/issues/36688, I'll try to see if that fix solves this issue.

w0ut0 avatar Mar 14 '24 12:03 w0ut0

Looks like duplicate fixed in 2.8.2 @zwelgbeer - > Please upgrade your airflow to latest version and report back. Good idea is to upgrade to

potiuk avatar Mar 14 '24 22:03 potiuk

@potiuk, I have had the ability to test this on Airflow 2.9.1, unfortunately, my secret is still not masked. I have 2 connection strings that are unmasked:

AIRFLOW_CONN_AZURE=azure://<AAD_CLIENT_ID>:UNMASKED_PASSWORD?tenantId=<AAD_TENANT_ID>&subscriptionId=<SUBSCRIPTION_ID>

AIRFLOW_CONN_DATABRICKS=databricks://<AAD_CLIENT_ID>:UNMASKED_PASSWORD@<workspace_url>.azuredatabricks.net?azure_tenant_id=<AAD_TENANT_ID>

Let me change some (normal) characters in the password:

pO51Q~MLdXXu-H_sOMNECHANGECHARSldk

It shows up unmasked when doing eg. printenv in a BashOperator.

w0ut0 avatar May 17 '24 10:05 w0ut0

Hi @potiuk i would like to contribute in this issue and it is also marked as good first issue , so can I work on it?

sonalshreya avatar Nov 14 '24 03:11 sonalshreya

Sure

potiuk avatar Nov 14 '24 11:11 potiuk