Body
We agreed via LAZY CONSENSUS that we will not espose sensitive information over the public API (exception is task-sdk API).
This is a meta-issue describing what needs to be done. Sub-issues are created to complete the work.
This means:
-
we want to make it crystal clear that no APIs ever expose sensitive data
-
we should remove export (import can stay) via UI - and leave a
comment that export is only available via local CLI
-
the "sensitive data not exposed over API" is also present in
airflow-ctl - this means that airflow-ctl should never expose
sensitive data (including connections, variables, config, export)
-
the "expose config" [5] - will only accept "false" and
"non-sensitive-only". The "true" will be rejected.
There is also an impact to local CLI, even if local CLI user has
access to all data anyway:
-
local CLI * list (connections, variables, config) only by default
returns "keys" - and it will only return values when --show-values
is passed as command line option (with clear comment in help that this
option might show sensitive data, also when we do * list command
without --show-values we emit stderr output explaining that
potentially sensitive data is hidden and you need to specify
--show-values to see them
-
the local CLI * get commands are unaffected (those are more likely
already used as CLI API
-
we remove connections list --conn-id as it is equivalent to connections get
Committer
Body
We agreed via LAZY CONSENSUS that we will not espose sensitive information over the public API (exception is task-sdk API).
This is a meta-issue describing what needs to be done. Sub-issues are created to complete the work.
This means:
we want to make it crystal clear that no APIs ever expose sensitive data
we should remove export (import can stay) via UI - and leave a
comment that export is only available via local CLI
the "sensitive data not exposed over API" is also present in
airflow-ctl - this means that airflow-ctl should never expose
sensitive data (including connections, variables, config, export)
the "expose config" [5] - will only accept "false" and
"non-sensitive-only". The "true" will be rejected.
There is also an impact to local CLI, even if local CLI user has
access to all data anyway:
local CLI * list (connections, variables, config) only by default
returns "keys" - and it will only return values when
--show-valuesis passed as command line option (with clear comment in help that this
option might show sensitive data, also when we do
* listcommandwithout
--show-valueswe emit stderr output explaining thatpotentially sensitive data is hidden and you need to specify
--show-valuesto see themthe local CLI * get commands are unaffected (those are more likely
already used as CLI API
we remove connections list --conn-id as it is equivalent to connections get
Committer