[PR] Mask per-key secrets-backend-kwarg overrides on the Config API [airflow]

Wed, 27 May 2026 15:00:39 -0700 


potiuk opened a new pull request, #67622:
URL: https://github.com/apache/airflow/pull/67622

   Per-key environment-variable overrides like 
`AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and 
`AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID` are materialised by 
`conf.as_dict` as synthetic options under the `secrets` and `workers` sections 
(e.g. `backend_kwarg__secret_id`). These synthetic options carry the same Vault 
/ role_id / secret_id material as the registered `backend_kwargs` option, but 
they are not present in `conf.sensitive_config_values`, so the Config API was 
returning their values unmasked.
   
   This change adds:
   
   - a constant `_PER_KEY_SENSITIVE_PREFIXES` that names the two 
synthetic-option prefixes,
   - a helper `_mask_per_key_sensitive_options` that the `GET /config` route 
calls when `display_sensitive=False`,
   - a helper `_is_per_key_sensitive_option` that extends the sensitivity check 
in the `GET /config/section/{section}/option/{option}` route.
   
   Reference: airflow-s/airflow-s#433
   
   ## Test plan
   
   - [x] New tests cover both the section-level (`GET /config`) and per-option 
(`GET /config/section/.../option/...`) masking paths for both the 
`secrets.backend_kwarg__*` and `workers.secrets_backend_kwarg__*` prefixes.
   - [x] Existing `TestGetConfig` / `TestGetConfigValue` suites still pass (39 
tests total).
   - [x] `prek run --from-ref main --to-ref HEAD --stage pre-commit` clean on 
touched files.
   - [x] `prek run --from-ref main --to-ref HEAD --stage manual` clean on 
touched files.
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Opus 4.7 (1M context)
   
   Generated-by: Claude Opus 4.7 (1M context) following the guidelines at 
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to