Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Secrets Manager Backend - major update #27920

Merged
merged 7 commits into from
Dec 5, 2022

Conversation

dwreeves
Copy link
Contributor

Closes: #26571

This PR contains the following:

  • Implemented the following bullet points outlined in Migrate Amazon Provider Package's SecretsManagerBackend's full_url_mode=False implementation. #26571:
    • Removed ast.literal_eval for deserializing JSON secrets.
    • Removed full_url_mode kwarg entirely. JSONs are now automatically detected.
    • Removed requirement that get_conn_value() must return a URI.
      • Note that this means that the AWS provider package will no longer work with Airflow 2.2.x and requires 2.3.0 or greater.
    • Removed requirement that secrets must be URL-encoded when stored as JSONs.
      • Note that this change will be breaking for some users, although the current AWS provider package should be raising DeprecationWarnings for users who will be affected.
    • Set login as the default name for the login with the JSON standardization thing in _standardize_secret_keys.
  • Updated docs to reflect these changes.
    • Removed all references to full URL mode.
    • Provided what I believe to be much clearer examples of AWS Secrets Manager setup.
    • Moved the docs to being more consistent with Airflow's base secrets API, e.g. login instead of user, password instead of pass, etc. + I wrote a note saying that using these names is encouraged.
    • I also raised the header levels a little bit across the doc; they were very low!

As stated in #26571, the intent with this PR (as well as the one leading up to it that added a bunch of deprecation warnings) is to make it so the secret values accepted by the SecretsManagerBackend are a strict superset of what is allowed by the BaseSecretsBackend, and behave in the same way, so as to adhere to the principle of behavioral subtyping.

For both the reasons stated above in bold-- this is incompatible with Airflow 2.2.x, and a small number of users will be hit by backwards incompatibility after implementing this change-- merging this PR would require a major version bump of the Amazon provider package.

@dwreeves dwreeves requested a review from eladkal as a code owner November 25, 2022 18:34
@dwreeves dwreeves changed the title 26571 aws secrets manager update AWS Secrets Manager Backend - major update Nov 25, 2022
@kaxil
Copy link
Member

kaxil commented Nov 26, 2022

cc @ferruzzi @o-nikolas @vincbeck

Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love to see this simplification! LGTM!

Copy link
Contributor

@o-nikolas o-nikolas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember this, nice PR!

We'll need to be cognizant of when we merge it since it will cause a major version bump, as you say.

Comment on lines +57 to +58
(True, "is url encoded", "not%20idempotent"),
(False, "is%20url%20encoded", "not%2520idempotent"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems backwards?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is basically saying:

  • If the values are URL-encoded (True), then the expected value will have the escaping removed "is%20url%20encoded" -> "is url encoded"
  • If the values are not URL-encoded (False), then the expected value will not have the escaping removed "is%20url%20encoded" -> "is%20url%20encoded"

Admittedly this is very confusing, not least of all because I am flipping the kwarg full_url_mode to are_secret_values_urlencoded.

This was a really weirdly specified test, looking back at it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is nice - @o-nikolas - what's your take ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, thanks for the explanation @dwreeves!

Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks cool, but I think I need few more eyes (@o-nikolas mainly) to take a look

Copy link
Contributor

@o-nikolas o-nikolas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving!
I still think we could be strategic about when we merge this though. We've had a lot of major version bumps lately on the Amazon Provider Package. Should we wait until there are few more breaking changes and batch them together? What do others think?

Comment on lines +57 to +58
(True, "is url encoded", "not%20idempotent"),
(False, "is%20url%20encoded", "not%2520idempotent"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, thanks for the explanation @dwreeves!

@eladkal
Copy link
Contributor

eladkal commented Dec 5, 2022

We've had a lot of major version bumps lately on the Amazon Provider Package. Should we wait until there are few more breaking changes and batch them together? What do others think?

I don't see reason to wait (?)
if AWS see the need to backport features/bug fixes to earlier provider version that is possible (And even simple). The procedure is documented in https://github.com/apache/airflow#release-process-for-providers (last paragraph of that section - cherry picking)

@potiuk potiuk merged commit 8f0265d into apache:main Dec 5, 2022
@o-nikolas
Copy link
Contributor

We've had a lot of major version bumps lately on the Amazon Provider Package. Should we wait until there are few more breaking changes and batch them together? What do others think?

I don't see reason to wait (?) if AWS see the need to backport features/bug fixes to earlier provider version that is possible (And even simple). The procedure is documented in https://github.com/apache/airflow#release-process-for-providers (last paragraph of that section - cherry picking)

It's not the end of the world of course, but it does add overhead for contributors maintaining the code (backporting, etc) as well as users who have to migrate very frequently. The same reasons apply for why we don't release a major version of Airflow weekly (albeit at a much smaller scale).
But I can't seem to get on the same page with release schedule and semver around here, so I should probably stop trying 😅

@dwreeves
Copy link
Contributor Author

dwreeves commented Dec 5, 2022

I'm sorry this PR opened such a can of worms regarding major version releases. 😅 This all just started as a passion project to fix something I considered counterintuitive that I thought many others may also find counterintuitive. I use the word "fix" here because I do believe there were a lot of genuine problems with the initial handling of JSON secrets that look especially odd in a 2.3 world where JSON secrets are first-class citizens of the base Airflow API.

I tried my best to smooth out the transition to a more sensible system across my two PRs that address the problem. I also believe the approaches I took were the best way to do that, both in terms of the path going forward as well as the intermediate steps I took with my first PR to the SecretsManagerBackend. I know future Airflow users will find the SecretsManager much easier to work with, and I hope current users do not find these changes too disruptive.

Thank you all once again for reviewing my PRs, I'll probably keep contributing to Airflow in the future although I sure hope it is in a less "breaking changes" capacity.

@potiuk
Copy link
Member

potiuk commented Dec 5, 2022

Well. Discussion is not opening can of worms. It's often a good thing to have, as long as it results in an action (merging it is an action, so all good)

@o-nikolas
Copy link
Contributor

I'm sorry this PR opened such a can of worms regarding major version releases. sweat_smile

Absolutely no worries Daniel! These were great changes that were made very carefully with fantastic communication. The discussions on when and how often to release code is a discussion as old as time and was going on before your changes. I hope to see you around as a contributor in Airflow for years to come 😃

@ferruzzi
Copy link
Contributor

ferruzzi commented Dec 5, 2022

I sure hope it is in a less "breaking changes" capacity.

Sometimes it's simply the best way forward. Thanks for the contribution!

@pierrejeambrun
Copy link
Member

pierrejeambrun commented Mar 23, 2023

Cherry picked in 2.5.3 to resolve conflicts for #29580.

Cf #release-management, #29580 were dropped from 2.5.3

@pierrejeambrun pierrejeambrun added this to the Airflow 2.5.3 milestone Mar 23, 2023
@pierrejeambrun pierrejeambrun added the changelog:skip Changes that should be skipped from the changelog (CI, tests, etc..) label Mar 23, 2023
@pierrejeambrun pierrejeambrun removed this from the Airflow 2.5.3 milestone Mar 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:providers area:secrets changelog:skip Changes that should be skipped from the changelog (CI, tests, etc..) kind:documentation provider:amazon-aws AWS/Amazon - related issues
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Migrate Amazon Provider Package's SecretsManagerBackend's full_url_mode=False implementation.
8 participants