Hello here, I created an issue for it - splitting it into smaller sub-tasks:
https://github.com/apache/airflow/issues/59838 One of those is already worked on ( https://github.com/apache/airflow/pull/58659). All the issues are marked as "good first issue" and they are up for grabs. Those are a really good set of issues to implement as early contributions :). J. On Fri, Nov 28, 2025 at 3:00 PM Jarek Potiuk <[email protected]> wrote: > No - not yet, but work is on-going already - and I pointed it out in a few > issues that target it :). But I will do some soon > > On Fri, Nov 28, 2025 at 6:53 AM Amogh Desai <[email protected]> wrote: > >> Nice, thanks! >> >> Have we already created issues / work items for this? >> >> Thanks & Regards, >> Amogh Desai >> >> >> On Fri, Nov 21, 2025 at 4:55 AM Jarek Potiuk <[email protected]> wrote: >> >> > Lay consensus has been reached. >> > >> > On Mon, Nov 17, 2025 at 11:07 PM Jarek Potiuk <[email protected]> wrote: >> > > >> > > This is calling for a consensus on the way we treat exposing sensitive >> > > data over API (in short "NO SENSITIVE DATA EXPOSED"). >> > > >> > > Discussion here: >> > > >> > > https://lists.apache.org/thread/c79668yh42m5g7f7xck3oh6vft0z2kb6 >> > > >> > > The consensus will be reached (unless someone objects) on Thursday >> > > 20th of November, 2025, 23:30 CET. >> > > >> > > Summary: >> > > >> > > 1) we want to make it crystal clear that no APIs ever expose sensitive >> > data >> > > >> > > 2) we should remove export (import can stay) via UI - and leave a >> > > comment that export is only available via local CLI >> > > >> > > 3) the "sensitive data not exposed over API" is also present in >> > > airflow-ctl - this means that airflow-ctl should never expose >> > > sensitive data (including connections, variables, config, export) >> > > >> > > 4) the "expose config" [5] - will only accept "false" and >> > > "non-sensitive-only". The "true" will be rejected. >> > > >> > > There is also an impact to local CLI, even if local CLI user has >> > > access to all data anyway: >> > > >> > > 5) local CLI * list (connections, variables, config) only by default >> > > returns "keys" - and it will only return values when `--show-values` >> > > is passed as command line option (with clear comment in help that this >> > > option **might** show sensitive data, also when we do `* list` command >> > > without `--show-values` we emit stderr output explaining that >> > > potentially sensitive data is hidden and you need to specify >> > > `--show-values` to see them >> > > >> > > 6) the local CLI * get commands are unaffected (those are more likely >> > > already used as CLI API >> > > >> > > 7) we remove connections list --conn-id as it is equivalent to >> > connections get >> > > >> > > Again:he consensus will be reached (unless someone objects) on >> > > Thursday 20th of November, 2025, 23:30 CET. >> > > >> > > J. >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> > >> >
