Add config option [secrets]backends_order

[moiseenkov]

Introduce a new configuration option for specifying secret backends load order:

[secrets]backends_order = custom,environment_variable,metastore

The default value represents current behavior, thus nothing will change for existing users.

[moiseenkov]

@eladkal , please take a look at the updates.

[potiuk]

I was initially against making it configurable, but seeing the simplicity and flexibility, I am in.

[potiuk]

@eladkal ?

[VladaZakharova]

hi there!
@potiuk
Can we merge this one please?

[VladaZakharova]

Hi @potiuk @eladkal ! Are there some other changes we need to make here? Or we can merge this one?

[eladkal]

We are on feature freeze for Airflow 3.
https://lists.apache.org/thread/r26htzl0w3th7pw0l1y31g6s14qbtwwt

[potiuk]

Yeah. I think that might be 3.1

[eladkal]

prevent accidental merge. We are on feature freeze for Airflow 3.
PR can not be merged till main branch is for 3.1

[eladkal]

i am a bit concerned making it just a "hidden" setting.
I think we better to come up with a way to expose the chosen order in the UI. that way DAG authors can verify and use it for debug for questions like (why I see wrong value in variable).

Also, correct me if I am wrong the order affect only read, not write. maybe the setting should be backends_read_order?

[Crowiant]

Hello @eladkal ! I don't see any info regarding the secrets section the UI is using right now. So maybe we could skip it for now? What do you think?
Regarding the naming. As stated in the doc it is responsible for secrets backends search ordering. So maybe backends_search_order is more convenient?

[eladkal]

right now it's not configurable so the Airflow docs is good enough but after this PR is accepted the Airflow docs can't help you... You'll need to check the deployment to understand the priority order.
In many deployments dag authors don't have access to the deployment code.

My thoughts on the UI is an improvement (I think crucial but that is just my own perspective) I welcome others to share their thoughts. This feature is already targeting 3.1+ so regardless if we do the UI part or not we can't merge it now. We need to wait for main branch to become 3.1 (probably only after we cut RC1 for Airflow 3(

[VladaZakharova]

Hi there!
I see that we are close to release Af3.1, so maybe we can merge this change?
Thanks :)

[potiuk]

This looks good to me - but I think it might be worth to raise a devlist discussion for it @VladaZakharova -> there were past discussions about changing the sequence of resolving configurations, and I know people have strong opinion about "fixed" vs. "confifurable" sequence - and there are arguments pro / against each of those options.

I think it would be good to raise a discussion asking what peopel think about it and try to reach consensus.

[eladkal]

I think it would be good to raise a discussion asking what peopel think about it and try to reach consensus.

I agree. I am not comfortable with making this change without the UI indication / other mechanisem that allows dag authors to see the cluster admin setup for backend order

[amoghrajesh]

@VladaZakharova @moiseenkov @Crowiant I will take a look at this one soon.

[uranusjr]

I wonder if this should just be called backends and have the description explain how the ordering is significant. The implementation is fine to me.

[uranusjr]

This doesn’t read right? The key implemented here is not under [workders].

[Crowiant]

Hello @uranusjr ! Thank you for your review and comments!
No, actually it should be under both sections: [secrets] and [workers]. Because after talking with @amoghrajesh We agreed that implementation should be extended on workers too.

[amoghrajesh]

We are certainly close on this one, some more work needs to be done to adjust the PR as per the latest codebase. For the UI changes, I am not so sure, so maybe someone else can review that: @potiuk / @eladkal since you had some suggestion there.

[amoghrajesh]

We are trying to avoid importing sdk in airflow core when possible

[Crowiant]

Could you expand a little bit on this? ExecutionAPISecretsBackend exists only in task-sdk and applies for the workers. Where else could it be imported?

[Crowiant]

Hello @amoghrajesh @uranusjr I responded to your comments in the PR. Could you please help with the review?

[potiuk]

@amoghrajesh @uranusjr -> any comments here? I think there were some important questions/comments from you and I would love to merge that one to make sure it makes it for 3.2 (it looks good in general).

[eladkal]

I don't have time to re-review but I still have some concerns. I advise to tag this as experimental feature so community will use this feature with judgment.
I will however ask to please present a UI image of how the indication of backend order is shown to users.

[potiuk]

I advise to tag this as experimental feature so community will use this feature with judgment.

Good idea @eladkal

[Crowiant]

Hello @potiuk @eladkal Thank you for your comments. I added experimental tag to the feature.
Here are screenshots of how backends order looks on UI:

[potiuk]

Can you please resolve conflicts and fix the remaining static check?

[Crowiant]

Hello @potiuk I updated the PR. Since checks are passing, can we merge if there are no objections?

[potiuk]

Sorry for that - I've been a bit busy - can you please rebase one more time as it needs more conflict resolution - also the UI part is somethign maybe @jason810496 can you re-review?

[potiuk]

@eladkal - looks like your concerns are alleviated - can you please remove "request changes"?