[AIRFLOW-2899] Hide sensitive data when Exporting Variables

[kaxil]

Make sure you have checked all steps below.

Jira

• My PR addresses the following Airflow Jira issues and references them in the PR title. For example, "[AIRFLOW-XXX] My Airflow PR"
  • https://issues.apache.org/jira/browse/AIRFLOW-2899
  • In case you are fixing a typo in the documentation you can prepend your commit with [AIRFLOW-XXX], code changes always need a Jira issue.

Description

• Here are some details about my PR, including screenshots of any UI changes:
  Currently, the sensitive variable is hidden from being exposed in the Web UI. However, if the UI is compromised, someone can export variables where all the sensitive variables are exported in plain text format.

This will still allow an admin to export all the variables from the CLI. The main intention here would be incase of an exposed Web UI, the sensitive data should still be inaccessible.

Tests

• My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

• My commits all reference Jira issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "How to write a good git commit message":
  1. Subject is separated from body by a blank line
  2. Subject is limited to 50 characters (not including Jira issue reference)
  3. Subject does not end with a period
  4. Subject uses the imperative mood ("add", not "adding")
  5. Body wraps at 72 characters
  6. Body explains "what" and "why", not "how"

Documentation

• In case of new functionality, my PR adds documentation that describes how to use it.
  • When adding new operators/hooks/sensors, the autoclass documentation generation needs to be added.

Code Quality

• Passes git diff upstream/master -u -- "*.py" | flake8 --diff

[kaxil]

cc @Fokko @feng-tao @bolkedebruin

#1530 covered hiding it from the UI but didn't consider variable export.

[codecov-io]

Codecov Report

Merging #3748 into master will increase coverage by 0.97%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           master    #3748      +/-   ##
==========================================
+ Coverage   76.67%   77.64%   +0.97%     
==========================================
  Files         199      204       +5     
  Lines       16186    15853     -333     
==========================================
- Hits        12410    12309     -101     
+ Misses       3776     3544     -232

Impacted Files	Coverage Δ
airflow/www/views.py	68.95% <0%> (+0.21%)	⬆️
airflow/www_rbac/views.py	72.61% <0%> (+0.22%)	⬆️
airflow/operators/slack_operator.py	0% <0%> (-97.37%)	⬇️
airflow/sensors/s3_key_sensor.py	31.03% <0%> (-68.97%)	⬇️
airflow/sensors/s3_prefix_sensor.py	41.17% <0%> (-58.83%)	⬇️
airflow/example_dags/example_python_operator.py	78.94% <0%> (-15.79%)	⬇️
airflow/utils/helpers.py	71.34% <0%> (-13.04%)	⬇️
airflow/hooks/mysql_hook.py	78% <0%> (-12%)	⬇️
airflow/sensors/sql_sensor.py	90.47% <0%> (-9.53%)	⬇️
airflow/configuration.py	83.95% <0%> (-5.47%)	⬇️
... and 88 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e703d6b...8a73aa1. Read the comment docs.

[feng-tao]

@kaxil, it would be good if you could add a test to test the sensitive data export case.

[kaxil]

@feng-tao Would you or someone with good Flask experience (e.g. @jgao54 , @Fokko ) be able to help with adding a test for this.

[Fokko]

I might even argue that we need to fix this on an API level instead of the view level. In this case the API will just obfuscate the secrets.

[kaxil]

@Fokko Fixing this on API level will mean we won't be able to get the variables in plain text through CLI as well.

[kaxil]

@ashb Thoughts?

[ashb]

Yes. And No?

Yes, because by default it probably shouldn't be possible to get the secrets back out. But the export including sensitive might be useful for backups/provisioning.

The "fuller" solution that would support exporting while keeping then encrypted. That would involve a change of format of export and is probably a bigger chunk of work.

In short: I don't know, sorry.

[kaxil]

@ashb No worries. The aim of this PR was to obfuscate sensitive variables from UI export but it would still allow you to download them through the CLI.

[ron819]

Why not allow the user to decide per Variable if it's sensitive or not (addition of Boolean column)? Then you won't need to consider the question of what to do... there will be a value defined by the user to simply act accordingly.
Sometimes what you might consider as secret isn't considered as such by the user.

[kaxil]

@ron819 Even if a user decides whether a field is sensitive or not, you would still need to add the functionality of obfuscating them in the UI, the scope of this PR is just that. And to your point on letting a user decide whether a given field is secret or not, we are happy for you to implement that functionality and send a PR.

Just for your information, the selection of a Variable to be sensitive was decided in this PR: #1530

[ron819]

@kaxil No need to get mad it was just a suggestion :)

[kaxil]

@ron819 I didn't get mad at all, apologies and sorry if you felt so. I seriously think that it should have been a user's choice to select the sensitive variables.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.