No - not yet, but work is on-going already - and I pointed it out in a few issues that target it :). But I will do some soon
On Fri, Nov 28, 2025 at 6:53 AM Amogh Desai <[email protected]> wrote: > Nice, thanks! > > Have we already created issues / work items for this? > > Thanks & Regards, > Amogh Desai > > > On Fri, Nov 21, 2025 at 4:55 AM Jarek Potiuk <[email protected]> wrote: > > > Lay consensus has been reached. > > > > On Mon, Nov 17, 2025 at 11:07 PM Jarek Potiuk <[email protected]> wrote: > > > > > > This is calling for a consensus on the way we treat exposing sensitive > > > data over API (in short "NO SENSITIVE DATA EXPOSED"). > > > > > > Discussion here: > > > > > > https://lists.apache.org/thread/c79668yh42m5g7f7xck3oh6vft0z2kb6 > > > > > > The consensus will be reached (unless someone objects) on Thursday > > > 20th of November, 2025, 23:30 CET. > > > > > > Summary: > > > > > > 1) we want to make it crystal clear that no APIs ever expose sensitive > > data > > > > > > 2) we should remove export (import can stay) via UI - and leave a > > > comment that export is only available via local CLI > > > > > > 3) the "sensitive data not exposed over API" is also present in > > > airflow-ctl - this means that airflow-ctl should never expose > > > sensitive data (including connections, variables, config, export) > > > > > > 4) the "expose config" [5] - will only accept "false" and > > > "non-sensitive-only". The "true" will be rejected. > > > > > > There is also an impact to local CLI, even if local CLI user has > > > access to all data anyway: > > > > > > 5) local CLI * list (connections, variables, config) only by default > > > returns "keys" - and it will only return values when `--show-values` > > > is passed as command line option (with clear comment in help that this > > > option **might** show sensitive data, also when we do `* list` command > > > without `--show-values` we emit stderr output explaining that > > > potentially sensitive data is hidden and you need to specify > > > `--show-values` to see them > > > > > > 6) the local CLI * get commands are unaffected (those are more likely > > > already used as CLI API > > > > > > 7) we remove connections list --conn-id as it is equivalent to > > connections get > > > > > > Again:he consensus will be reached (unless someone objects) on > > > Thursday 20th of November, 2025, 23:30 CET. > > > > > > J. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
