This is calling for a consensus on the way we treat exposing sensitive data over API (in short "NO SENSITIVE DATA EXPOSED").
Discussion here: https://lists.apache.org/thread/c79668yh42m5g7f7xck3oh6vft0z2kb6 The consensus will be reached (unless someone objects) on Thursday 20th of November, 2025, 23:30 CET. Summary: 1) we want to make it crystal clear that no APIs ever expose sensitive data 2) we should remove export (import can stay) via UI - and leave a comment that export is only available via local CLI 3) the "sensitive data not exposed over API" is also present in airflow-ctl - this means that airflow-ctl should never expose sensitive data (including connections, variables, config, export) 4) the "expose config" [5] - will only accept "false" and "non-sensitive-only". The "true" will be rejected. There is also an impact to local CLI, even if local CLI user has access to all data anyway: 5) local CLI * list (connections, variables, config) only by default returns "keys" - and it will only return values when `--show-values` is passed as command line option (with clear comment in help that this option **might** show sensitive data, also when we do `* list` command without `--show-values` we emit stderr output explaining that potentially sensitive data is hidden and you need to specify `--show-values` to see them 6) the local CLI * get commands are unaffected (those are more likely already used as CLI API 7) we remove connections list --conn-id as it is equivalent to connections get Again:he consensus will be reached (unless someone objects) on Thursday 20th of November, 2025, 23:30 CET. J. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
