Skip to content

Fix JWT tokens appearing in task logs#62782

Closed
sunank200 wants to merge 2 commits intoapache:mainfrom
sunank200:fix/jwt-tokens-in-logs-62773
Closed

Fix JWT tokens appearing in task logs#62782
sunank200 wants to merge 2 commits intoapache:mainfrom
sunank200:fix/jwt-tokens-in-logs-62773

Conversation

@sunank200
Copy link
Collaborator

@sunank200 sunank200 commented Mar 3, 2026
edited
Loading

  • log only dag_id, task_id, run_id, log_path so the JWT token is never passed to the logger.
  • Extend redact_jwt structlog processor to redact JWTs inside Pydantic-like objects (model_dump) and to replace token key values with *** so any workload-like object logged elsewhere is safe.

closes: #62773

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
    Made-with: Cursor
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@sunank200
Fix JWT tokens appearing in task logs
c701da5 
- Stop logging full workload object in execute_workload; log only
  dag_id, task_id, run_id, log_path so the JWT token is never passed
  to the logger.
- Extend redact_jwt structlog processor to redact JWTs inside
  Pydantic-like objects (model_dump) and to replace 'token' key
  values with *** so any workload-like object logged elsewhere is
  safe.

closes: apache#62773
Made-with: Cursor
zach-overflow
zach-overflow reviewed Mar 3, 2026
View reviewed changes
task-sdk/src/airflow/sdk/execution_time/execute_workload.py
raise ValueError(f"Executor does not know how to handle {type(workload)}")

log.info("Executing workload", workload=workload)
log.info(
Copy link
Contributor

@zach-overflow zach-overflow Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could keep the same logging statement here and instead set the JWT-containing attribute as a pydantic.SecretStr, which will by default redact the field from logs.

@SibtainOcn SibtainOcn mentioned this pull request Mar 5, 2026
Merged
@eladkal
Copy link
Contributor

eladkal commented Mar 6, 2026

Closing in favor of #62964

@eladkal eladkal closed this Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashb ashb Awaiting requested review from ashb ashb will be requested when the pull request is marked ready for review ashb is a code owner

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh amoghrajesh will be requested when the pull request is marked ready for review amoghrajesh is a code owner

@potiuk potiuk Awaiting requested review from potiuk potiuk will be requested when the pull request is marked ready for review potiuk is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil will be requested when the pull request is marked ready for review kaxil is a code owner

1 more reviewer

@zach-overflow zach-overflow zach-overflow left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area:logging area:task-sdk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

JWT tokens appearing in logs

3 participants

@sunank200 @eladkal @zach-overflow