-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS Secrets Manager Backend - major update #27920
Conversation
…s:dwreeves/airflow into 26571-aws-secrets-manager-update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love to see this simplification! LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I remember this, nice PR!
We'll need to be cognizant of when we merge it since it will cause a major version bump, as you say.
(True, "is url encoded", "not%20idempotent"), | ||
(False, "is%20url%20encoded", "not%2520idempotent"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems backwards?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test is basically saying:
- If the values are URL-encoded (True), then the expected value will have the escaping removed
"is%20url%20encoded" -> "is url encoded"
- If the values are not URL-encoded (False), then the expected value will not have the escaping removed
"is%20url%20encoded" -> "is%20url%20encoded"
Admittedly this is very confusing, not least of all because I am flipping the kwarg full_url_mode
to are_secret_values_urlencoded
.
This was a really weirdly specified test, looking back at it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is nice - @o-nikolas - what's your take ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, thanks for the explanation @dwreeves!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks cool, but I think I need few more eyes (@o-nikolas mainly) to take a look
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving!
I still think we could be strategic about when we merge this though. We've had a lot of major version bumps lately on the Amazon Provider Package. Should we wait until there are few more breaking changes and batch them together? What do others think?
(True, "is url encoded", "not%20idempotent"), | ||
(False, "is%20url%20encoded", "not%2520idempotent"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, thanks for the explanation @dwreeves!
I don't see reason to wait (?) |
It's not the end of the world of course, but it does add overhead for contributors maintaining the code (backporting, etc) as well as users who have to migrate very frequently. The same reasons apply for why we don't release a major version of Airflow weekly (albeit at a much smaller scale). |
I'm sorry this PR opened such a can of worms regarding major version releases. 😅 This all just started as a passion project to fix something I considered counterintuitive that I thought many others may also find counterintuitive. I use the word "fix" here because I do believe there were a lot of genuine problems with the initial handling of JSON secrets that look especially odd in a 2.3 world where JSON secrets are first-class citizens of the base Airflow API. I tried my best to smooth out the transition to a more sensible system across my two PRs that address the problem. I also believe the approaches I took were the best way to do that, both in terms of the path going forward as well as the intermediate steps I took with my first PR to the Thank you all once again for reviewing my PRs, I'll probably keep contributing to Airflow in the future although I sure hope it is in a less "breaking changes" capacity. |
Well. Discussion is not opening can of worms. It's often a good thing to have, as long as it results in an action (merging it is an action, so all good) |
Absolutely no worries Daniel! These were great changes that were made very carefully with fantastic communication. The discussions on when and how often to release code is a discussion as old as time and was going on before your changes. I hope to see you around as a contributor in Airflow for years to come 😃 |
Sometimes it's simply the best way forward. Thanks for the contribution! |
Cf #release-management, #29580 were dropped from 2.5.3 |
Closes: #26571
This PR contains the following:
SecretsManagerBackend
'sfull_url_mode=False
implementation. #26571:ast.literal_eval
for deserializing JSON secrets.full_url_mode
kwarg entirely. JSONs are now automatically detected.get_conn_value()
must return a URI.DeprecationWarning
s for users who will be affected.login
as the default name for the login with the JSON standardization thing in_standardize_secret_keys
.login
instead ofuser
,password
instead ofpass
, etc. + I wrote a note saying that using these names is encouraged.As stated in #26571, the intent with this PR (as well as the one leading up to it that added a bunch of deprecation warnings) is to make it so the secret values accepted by the
SecretsManagerBackend
are a strict superset of what is allowed by theBaseSecretsBackend
, and behave in the same way, so as to adhere to the principle of behavioral subtyping.For both the reasons stated above in bold-- this is incompatible with Airflow 2.2.x, and a small number of users will be hit by backwards incompatibility after implementing this change-- merging this PR would require a major version bump of the Amazon provider package.