I'm mostly in agreement with Ash, I think we should keep import atleast. >From a usability perspective it makes sense to be able to perform some of these setup flows from the UI. The rest sounds good to me.
-- Regards, Aritra Basu On Tue, 4 Nov 2025, 2:53 pm Ash Berlin-Taylor, <[email protected]> wrote: > Largely agreed, a few questions/comments: > > 2. Import could stay. It’s a bulk create — it does no harm in existing, so > I don’t see why we should remove it > > 3. Just to clarify (what I assume you mean) no sensitive/unredacted data > should be sent over the API, so the this is not airflowctl’s responsibility > to care about, just a statement of intent/behaviour, yes? > > 5. I might say we should show some values (host, port etc) just not > anything sensitive without an extra flag — just listing connection ids or > everything seems like to far to either extreme. > > -a > > > On 3 Nov 2025, at 19:16, Jarek Potiuk <[email protected]> wrote: > > > > 1) we want to make it crystal clear that no APIs ever expose sensitive > data > > > > 2) that means that we should remove export (and likely import) via UI - > and > > leave a comment that export/import is only available via local CLI > > > > 3) the "sensitive data not exposed over API" is also present in > airflow-ctl > > - this means that airflow-ctl should never expose sensitive data > (including > > connections, variables, config) > > > > 4) the "expose config" [5] - will only accept "*false*" and " > > *non-sensitive-only*". The "true" will be rejected. > > > > 5) local CLI ** list* (connections, variables, config) only by default > > returns "keys" - and it will only return values when `*--show-values*` is > > passed as command line option (with clear comment in help that this > option > > **might** show sensitive data, also when we do `** list*` command without > > `--show-values` we emit stderr output explaining that potentially > sensitive > > data is hidden and you need to specify `--show-values` to see them > > > > 6) the ** get* commands are unaffected (those are more likely already > used > > as CLI API > > > > 7) we remove *connections list --conn-id *as it is equivalent to > *connections > > get * > >
