Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hide sensitive data in UI

See original GitHub issue

Description

I’m using Airflow for 2 years now and I have a plugin that get password for a specific account in a Vault and then push it through a XCOM to reuse it on another tasks.

The fact is that if the value is sensitive like a password, I can’t hide it in the UI except for XCOM if I add an underscore in the prefix name of the key value.

Eg: kwargs[‘ti’].xcom_push(‘key’:‘_password’, ‘value’:‘my_value’)

But for rendered template UI page, I didn’t find anything similar, so if I try to pull a XCOM, it will show the value in the UI and I want to avoid it.

Maybe is it possible to add a condition in https://github.com/apache/airflow/blob/master/airflow/www/views.py after line 635

elif template_field.startswith('_'):
    html_dict[template_field] = ("<pre><code>sensitive data will not be exposed here</pre></code>")

Use case / motivation

I know that I can use connections but in my case, and due to security politic in my company, we have to store it in a dedicated Vault.

Related Issues

N/A

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:24 (18 by maintainers)

Top GitHub Comments

5reactions

ausiddiquicommented, Sep 2, 2020

I have a similar use case, but passing the password from a connection object I created in the UI to the environment variable in the KubernetesPodOperator and it is appearing in plain text in the Rendered Template part of the UI for the task. There should be a way to avoid this being printed and visible.

4reactions

kaxilcommented, Aug 11, 2020

aah I see, apologies @n4rk0o I should have read your description more carefully. Yes the Rendered UI Field currently exposes everything. We should have a way of hiding this.

I see two options here:

Same as what @marcusianlevine described
Have a flag in airflow.cfg to hide rendered templated_fields globally. Sometime though users would love to check if the field was rendered correctly and hence it acts as a good debugging tool.

Top Results From Across the Web

Hide Sensitive Information in Logs and in the UI

By default, data is logged and displayed in plain text. You can protect sensitive information by concealing some fields.

Privacy masking and blocking sensitive data

You can perform privacy masking in the user's browser to ensure highly sensitive information never reaches the Acoustic servers. Alternatively, you have options ......

Data Masking and Handling to Minimize Sensitive Data ...

So, there you have it! Data masking blocks certain fields and pieces of data from being visible. These data obfuscation techniques help prevent ......

How to protect sensitive data displayed in SAP GUI Trees

In this blog, we see how to use SAP UI Data Protection Masking to protect sensitive data represented through Trees.

Handling sensitive data - Getting started with Smartlook

Sensitive elements are hidden locally on the device. No sensitive data is transferred over the network or stored in the dashboard.