github-actions[bot] opened a new pull request, #67629:
URL: https://github.com/apache/airflow/pull/67629
Per-key environment-variable overrides like
`AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and
`AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID` are materialised by
`conf.as_dict` as synthetic options under the `secrets` and `workers` sections
(e.g. `backend_kwarg__secret_id`). These synthetic options carry the same Vault
/ role_id / secret_id material as the registered `backend_kwargs` option, but
they are not present in `conf.sensitive_config_values`, so the Config API was
returning their values unmasked.
This change adds:
- a constant `_PER_KEY_SENSITIVE_PREFIXES` that names the two
synthetic-option prefixes,
- a helper `_mask_per_key_sensitive_options` that the `GET /config` route
calls when `display_sensitive=False`,
- a helper `_is_per_key_sensitive_option` that extends the sensitivity check
in the `GET /config/section/{section}/option/{option}` route.
Reference: airflow-s/airflow-s#433
(cherry picked from commit f0f978d2736891a2f9e9d2954e87fc358e1ef4e3)
Co-authored-by: Jarek Potiuk <[email protected]>
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
