Nice, thanks! Have we already created issues / work items for this?
Thanks & Regards, Amogh Desai On Fri, Nov 21, 2025 at 4:55 AM Jarek Potiuk <[email protected]> wrote: > Lay consensus has been reached. > > On Mon, Nov 17, 2025 at 11:07 PM Jarek Potiuk <[email protected]> wrote: > > > > This is calling for a consensus on the way we treat exposing sensitive > > data over API (in short "NO SENSITIVE DATA EXPOSED"). > > > > Discussion here: > > > > https://lists.apache.org/thread/c79668yh42m5g7f7xck3oh6vft0z2kb6 > > > > The consensus will be reached (unless someone objects) on Thursday > > 20th of November, 2025, 23:30 CET. > > > > Summary: > > > > 1) we want to make it crystal clear that no APIs ever expose sensitive > data > > > > 2) we should remove export (import can stay) via UI - and leave a > > comment that export is only available via local CLI > > > > 3) the "sensitive data not exposed over API" is also present in > > airflow-ctl - this means that airflow-ctl should never expose > > sensitive data (including connections, variables, config, export) > > > > 4) the "expose config" [5] - will only accept "false" and > > "non-sensitive-only". The "true" will be rejected. > > > > There is also an impact to local CLI, even if local CLI user has > > access to all data anyway: > > > > 5) local CLI * list (connections, variables, config) only by default > > returns "keys" - and it will only return values when `--show-values` > > is passed as command line option (with clear comment in help that this > > option **might** show sensitive data, also when we do `* list` command > > without `--show-values` we emit stderr output explaining that > > potentially sensitive data is hidden and you need to specify > > `--show-values` to see them > > > > 6) the local CLI * get commands are unaffected (those are more likely > > already used as CLI API > > > > 7) we remove connections list --conn-id as it is equivalent to > connections get > > > > Again:he consensus will be reached (unless someone objects) on > > Thursday 20th of November, 2025, 23:30 CET. > > > > J. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
