Re: [PR] Remove trigger kwargs from the REST API response [airflow]

Mon, 15 Jun 2026 07:26:25 -0700 


pierrejeambrun commented on code in PR #67868:
URL: https://github.com/apache/airflow/pull/67868#discussion_r3414210009


##########
airflow-core/src/airflow/api_fastapi/core_api/datamodels/trigger.py:
##########
@@ -19,19 +19,37 @@
 from datetime import datetime
 from typing import Annotated
 
-from pydantic import BeforeValidator, ConfigDict
+from pydantic import BeforeValidator, ConfigDict, Field
 
 from airflow.api_fastapi.core_api.base import BaseModel
 
 
+def _remove_kwargs(_: object) -> str:
+    """
+    Return empty trigger kwargs for API responses.
+
+    Trigger ``kwargs`` may contain sensitive values (for example credentials a 
deferred
+    operator hands to its trigger -- an API key, a token), so they are never 
exposed through
+    the REST API. The field is kept in the response schema for backwards 
compatibility -- so

Review Comment:
   Making the field always empty is somehow still breaking because people could 
rely on some fields being there.
   
   Removing it altogether for sake of security was probably also fine at this 
point.



##########
airflow-core/newsfragments/67868.bugfix.rst:
##########
@@ -0,0 +1 @@
+The ``kwargs`` field of trigger objects returned by the REST API (for example 
in the ``trigger`` of a task-instance response) no longer exposes the decrypted 
trigger keyword arguments. Those kwargs can contain credentials a deferred 
operator hands to its trigger (an API key, a token, …), so the field is now 
always returned empty, as ``"{}"``. The field is retained in the response 
schema for backwards compatibility — and is now marked ``deprecated`` there so 
consumers are nudged off it — and the triggerer still decrypts and uses the 
real kwargs at runtime; only the API representation is emptied.

Review Comment:
   Not sure why we end up with a `bugfix` newsfragment. 
   
   I thought we were doing significant only. (which could be an option for this 
change too)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to