This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 19e0a9adc17 docs: Clarify masking in Connection extra JSON is
keyword-dependent (#58587)
19e0a9adc17 is described below
commit 19e0a9adc173d43035e853cddd46821bb06bf085
Author: kalluripradeep <[email protected]>
AuthorDate: Wed Nov 26 00:35:10 2025 +0000
docs: Clarify masking in Connection extra JSON is keyword-dependent (#58587)
Updated documentation to clarify that only keys containing sensitive
keywords are masked in Connection's extra JSON field, not all keys.
Fixes #58514
---
airflow-core/docs/security/secrets/mask-sensitive-values.rst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/airflow-core/docs/security/secrets/mask-sensitive-values.rst
b/airflow-core/docs/security/secrets/mask-sensitive-values.rst
index 0268a4a0274..39ec58651ab 100644
--- a/airflow-core/docs/security/secrets/mask-sensitive-values.rst
+++ b/airflow-core/docs/security/secrets/mask-sensitive-values.rst
@@ -20,8 +20,10 @@
Masking sensitive data
----------------------
-Airflow will by default mask Connection passwords and sensitive Variables and
keys from a Connection's
-extra (JSON) field when they appear in Task logs, in the Variable and in the
Rendered fields views of the UI.
+Airflow will by default mask Connection passwords, sensitive Variables, and
keys from a Connection's
+extra (JSON) field whose names contain one or more of the sensitive keywords
when they appear in Task logs,
+in the Variables UI, and in the Rendered fields views of the UI. Keys in the
extra JSON that do not include
+any of these sensitive keywords will not be redacted automatically.
It does this by looking for the specific *value* appearing anywhere in your
output. This means that if you
have a connection with a password of ``a``, then every instance of the letter
a in your logs will be replaced
