Skip to content

Docs: Clarify that masking in Connection 'extra' JSON is keyword-dependent #58515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amoghrajesh merged 4 commits into from
Nov 26, 2025
Merged

Docs: Clarify that masking in Connection 'extra' JSON is keyword-dependent #58515

amoghrajesh merged 4 commits into from
Nov 26, 2025

Conversation

@varaprasadregani
Copy link
Contributor

@varaprasadregani varaprasadregani commented Nov 20, 2025

Description

This PR updates the Masking Sensitive Data documentation to clarify that keys in a Connection's extra JSON field are not masked automatically unless they contain specific sensitive keywords.

Reason for Change:
Currently, the documentation states: "Airflow will by default mask Connection passwords and keys from a Connection’s extra (JSON) field..."
This implies that all keys in the extra field are masked by default, which is misleading. In reality, masking is triggered only if the key name contains a substring from the default sensitive keyword list (e.g., password, secret, token).

Changes in this PR:

  1. Updated Default Masking Text: Explicitly states that masking depends on the key name containing a sensitive keyword.
  2. Added Keyword List: Explicitly lists the default keywords (access_token, api_key, passphrase, etc.) so users know exactly what triggers the masking.
  3. Added Examples Table: Added a table demonstrating the masking behavior across different scopes (Logs, UI, Rendered Templates) to differentiate between Connection extra JSON behavior and Variable behavior.

closes: #58514

@boring-cyborg
Copy link

boring-cyborg bot commented Nov 20, 2025

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

@varaprasadregani varaprasadregani marked this pull request as ready for review November 21, 2025 06:29
@rawwar rawwar self-assigned this Nov 21, 2025
@rawwar rawwar requested a review from amoghrajesh November 21, 2025 09:17
amoghrajesh
amoghrajesh reviewed Nov 24, 2025
View reviewed changes
amoghrajesh
amoghrajesh reviewed Nov 24, 2025
View reviewed changes
@potiuk potiuk force-pushed the docs/masking-sensitive-data branch from bd6c2fb to 435871c Compare November 26, 2025 00:44
@amoghrajesh amoghrajesh modified the milestone: Airflow 3.1.4 Nov 26, 2025
@amoghrajesh amoghrajesh merged commit d0fa904 into apache:main Nov 26, 2025
64 checks passed
@boring-cyborg
Copy link

boring-cyborg bot commented Nov 26, 2025

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

Copilot AI pushed a commit to jason810496/airflow that referenced this pull request Dec 5, 2025
@varaprasadregani @amoghrajesh
Docs: Clarify that masking in Connection 'extra' JSON is keyword-depe…
223f3e4 
…ndent (apache#58515)

Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com>

* Refactor import statements to use the airflow.sdk.log for mask_secret function

---------

Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com>
itayweb pushed a commit to itayweb/airflow that referenced this pull request Dec 6, 2025
@varaprasadregani @amoghrajesh @itayweb
Docs: Clarify that masking in Connection 'extra' JSON is keyword-depe…
00c670c 
…ndent (apache#58515)

Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com>

* Refactor import statements to use the airflow.sdk.log for mask_secret function

---------

Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@amoghrajesh amoghrajesh amoghrajesh approved these changes

Assignees

@varaprasadregani varaprasadregani

Labels

area:secrets kind:documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Docs: Clarify that masking in Connection 'extra' JSON is keyword-dependent

4 participants

@varaprasadregani @potiuk @amoghrajesh @rawwar