This is an automated email from the ASF dual-hosted git repository. ephraimanierobi pushed a commit to branch v3-1-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit b3fd486333318d012edd4524591bdb083a5e14b9 Author: kalluripradeep <[email protected]> AuthorDate: Wed Nov 26 00:35:10 2025 +0000 docs: Clarify masking in Connection extra JSON is keyword-dependent (#58587) Updated documentation to clarify that only keys containing sensitive keywords are masked in Connection's extra JSON field, not all keys. Fixes #58514 (cherry picked from commit 19e0a9adc173d43035e853cddd46821bb06bf085) --- airflow-core/docs/security/secrets/mask-sensitive-values.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/airflow-core/docs/security/secrets/mask-sensitive-values.rst b/airflow-core/docs/security/secrets/mask-sensitive-values.rst index 0268a4a0274..39ec58651ab 100644 --- a/airflow-core/docs/security/secrets/mask-sensitive-values.rst +++ b/airflow-core/docs/security/secrets/mask-sensitive-values.rst @@ -20,8 +20,10 @@ Masking sensitive data ---------------------- -Airflow will by default mask Connection passwords and sensitive Variables and keys from a Connection's -extra (JSON) field when they appear in Task logs, in the Variable and in the Rendered fields views of the UI. +Airflow will by default mask Connection passwords, sensitive Variables, and keys from a Connection's +extra (JSON) field whose names contain one or more of the sensitive keywords when they appear in Task logs, +in the Variables UI, and in the Rendered fields views of the UI. Keys in the extra JSON that do not include +any of these sensitive keywords will not be redacted automatically. It does this by looking for the specific *value* appearing anywhere in your output. This means that if you have a connection with a password of ``a``, then every instance of the letter a in your logs will be replaced
