Skip to content

Fix config secrets not masked in task logs after reset_secrets_masker (#63921)#64016

Open
deepujain wants to merge 1 commit intoapache:mainfrom
deepujain:fix-63921-remask-config-secrets-after-reset
Open

Fix config secrets not masked in task logs after reset_secrets_masker (#63921)#64016
deepujain wants to merge 1 commit intoapache:mainfrom
deepujain:fix-63921-remask-config-secrets-after-reset

Conversation

@deepujain
Copy link
Contributor

@deepujain deepujain commented Mar 20, 2026
edited
Loading

Summary

reset_secrets_masker() in supervise() clears all patterns from the SDK secrets masker — including config-level secrets (webserver.secret_key, api.secret_key, api_auth.jwt_secret) that were registered at startup by conf.mask_secrets(). After the reset, these secrets appear in plaintext in task subprocess logs when printed via print() or structlog.

The fix calls conf.mask_secrets() immediately after reset_secrets_masker() to re-register config-level secrets before the task subprocess is forked.

Changes

  • task-sdk/src/airflow/sdk/execution_time/supervisor.py — After reset_secrets_masker(), conditionally call conf.mask_secrets() when airflow.configuration is loaded (always true for worker-spawned supervisors) to re-register config secrets in the SDK masker.
  • task-sdk/tests/task_sdk/execution_time/test_supervisor.py — Regression test verifying that config secrets are re-masked after reset_secrets_masker() + conf.mask_secrets().

Fixes #63921
@deepujain
Fix config secrets not masked in task logs after reset_secrets_masker (
7839403 
…apache#63921) reset_secrets_masker() clears all patterns from the SDK secrets masker, including config-level secrets (webserver.secret_key, api.secret_key, api_auth.jwt_secret) that were registered at startup. After the reset, task subprocess logs no longer mask these secrets. Re-register config secrets by calling conf.mask_secrets() immediately after the reset when airflow.configuration is available (which is always the case since supervisors are spawned from workers).
@deepujain deepujain force-pushed the fix-63921-remask-config-secrets-after-reset branch from 1c4eb96 to 7839403 Compare March 20, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:task-sdk

1 participant

@deepujain