Skip to content

Allow secrets redact function to have different redaction than *** #53977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ashb merged 3 commits into from
Aug 4, 2025
Merged

Allow secrets redact function to have different redaction than *** #53977

ashb merged 3 commits into from
Aug 4, 2025

Conversation

@ashb
Copy link
Member

@ashb ashb commented Jul 31, 2025

For logs, using *** is fine, but as part of the changes introduced in #53943
we decided it might be nice to use an even-less-frequently-appearing thing
than *** so we can detect modified secrets.

This gives us the ability to do that at the redaction layer

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@ashb ashb requested review from amoghrajesh and kaxil as code owners July 31, 2025 14:28
@ashb
Copy link
Member Author

ashb commented Jul 31, 2025

@pierrejeambrun As discussed.

pierrejeambrun
pierrejeambrun approved these changes Jul 31, 2025
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. Are you taking care of the follow up PR to enable it for the API ?

@ashb
Copy link
Member Author

ashb commented Jul 31, 2025

Cool. Are you taking care of the follow up PR to enable it for the API ?

🤷🏻 Hadn't thought that far ahead :D

@ashb ashb force-pushed the changable-redact-replacment-chars branch 2 times, most recently from 0e382d6 to bb5cc0f Compare July 31, 2025 14:46
amoghrajesh
amoghrajesh approved these changes Jul 31, 2025
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, rest looks good.

@ashb ashb force-pushed the changable-redact-replacment-chars branch from bb5cc0f to 8ee0ebb Compare July 31, 2025 15:26
@ashb ashb requested a review from mobuchowski as a code owner July 31, 2025 16:28
@ashb
Copy link
Member Author

ashb commented Jul 31, 2025

Sorry for the meta-programming sins I have committed here.

mobuchowski
mobuchowski approved these changes Jul 31, 2025
View reviewed changes
@pierrejeambrun
Copy link
Member

pierrejeambrun commented Aug 1, 2025

Sorry for the meta-programming sins I have committed here.

Compat code looks good. Not sure we have any other option at the moment.

ashb added 2 commits August 1, 2025 17:25
@ashb
Allow secrets redact function to have different redaction than ***
9d5d8e7 
For logs, using `***` is fine, but as part of the changes introduced in apache#53943
we decided it might be nice to use an even-less-frequently-appearing thing
than `***` so we can detect modified secrets.

This gives us the ability to do that at the redaction layer
@ashb
Deal with OpenLineage subclassing SecretsMasker class
e2e6aa3
@ashb ashb force-pushed the changable-redact-replacment-chars branch from 66ebf1b to e2e6aa3 Compare August 1, 2025 16:25
@ashb ashb merged commit db8e628 into apache:main Aug 4, 2025
103 checks passed
@ashb ashb deleted the changable-redact-replacment-chars branch August 4, 2025 18:52
@eladkal eladkal mentioned this pull request Aug 7, 2025
Closed
40 tasks
ferruzzi pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Aug 7, 2025
@ashb @ferruzzi
Allow secrets redact function to have different redaction than *** (a…
608a232 
…pache#53977)

* Allow secrets redact function to have different redaction than `***`

For logs, using `***` is fine, but as part of the changes introduced in apache#53943
we decided it might be nice to use an even-less-frequently-appearing thing
than `***` so we can detect modified secrets.

This gives us the ability to do that at the redaction layer

* Deal with OpenLineage subclassing SecretsMasker class
fweilun pushed a commit to fweilun/airflow that referenced this pull request Aug 11, 2025
@ashb @fweilun
Allow secrets redact function to have different redaction than *** (a…
8a9e920 
…pache#53977)

* Allow secrets redact function to have different redaction than `***`

For logs, using `***` is fine, but as part of the changes introduced in apache#53943
we decided it might be nice to use an even-less-frequently-appearing thing
than `***` so we can detect modified secrets.

This gives us the ability to do that at the redaction layer

* Deal with OpenLineage subclassing SecretsMasker class
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mobuchowski mobuchowski mobuchowski approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@amoghrajesh amoghrajesh amoghrajesh approved these changes

@eladkal eladkal eladkal approved these changes

@vincbeck vincbeck vincbeck approved these changes

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

Assignees

No one assigned

Labels

area:task-sdk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ashb @pierrejeambrun @mobuchowski @amoghrajesh @eladkal @vincbeck