potiuk opened a new pull request, #67868:
URL: https://github.com/apache/airflow/pull/67868
## Why
`Connection` extras, `Variable` values and rendered task fields are all run
through Airflow's shared secrets masker before the REST API returns them, so
sensitive values are shown as `***`. Trigger `kwargs`
(`TriggerResponse.kwargs`)
are the one remaining API response that skips this step and serialises the
decrypted kwargs verbatim — so a value a deferred operator passes to its
trigger (an API key, a token, …) is returned as-is. This brings trigger
kwargs in line with the rest of the API.
## What
- `TriggerResponse.kwargs` now runs the decrypted kwargs through
`airflow._shared.secrets_masker.redact()` before serialising — the same
helper the Connections / Variables / Assets datamodels already use.
Sensitive keys are replaced with `***`; the triggerer still decrypts and
uses the real kwargs at runtime, so trigger execution is unaffected.
- Extended `DEFAULT_SENSITIVE_FIELDS` with credential field names that
providers use but the set did not cover yet: `app_key`, `certificate_data`,
`client_key`, `consumer_key`, `credential`, `key_file_dict`, `ssl_key`,
`yc_sa_key_json`. Matching is substring-based, so e.g. `tls_client_key` and
`ssl_client_key` are covered by `client_key`.
## Tests
- New `test_deferred_trigger_kwargs_are_redacted`: a deferred task's trigger
kwargs are masked in the task-instance response, non-sensitive values pass
through.
- Full `shared/secrets_masker` suite passes with the enriched field set.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
