ashb commented on issue #54090:
URL: https://github.com/apache/airflow/issues/54090#issuecomment-3167068888
> we have no way to distinguish whether we are calling it from UI or
airflowctl?
We don't currently, correct, but we could probably very easily detect this
via User-Agent header. Or the other option is to create a different UI-only
endpoint (we already have other such endpoints)
I still think it should be a different permission though -- exporting all
connections is a highly sensitive and risky approach -- so I'd feel much
happier with export being a separate endpoint, even if it's not a separate
permission. My main driver for this is auditability -- if it's a separate
endpoint that exposes the password, you can then tell when people get those
from acces logs alone.
So I'd probably say both:
1. UI only endpoint that always redacts (and possibly remove the
`hide_sensitive_var_conn_fields` setting and make it mandatory?)
2. Add a new permission, ("Connections", "can_read_unredacted") or similar,
that is required to either export, or to read a connection without redaction.
3. We could extend the UI views to add a "show senstive" fields button which
would use the public API to populate things.
If you call the export endpoint and you don't have the export permission it
could either return connections with redaction, or more likely return a 403.
And if you call the normal connection GET endpoint without having that new perm
it would return it redacted exactly as the UI?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
