pierrejeambrun opened a new pull request, #53943: URL: https://github.com/apache/airflow/pull/53943
closes: https://github.com/apache/airflow/issues/52301 How it works: For connection, 'password' and 'extras' are merged with their original value when doing an update. The function works similarly to the `redact` function, it will recursively handle all sort of data types and detect sensitive values that were not modified in the 'new_value' and then restore the value from the unredacted previous value. See the warning note: <img width="957" height="670" alt="Screenshot 2025-07-30 at 19 34 42" src="https://github.com/user-attachments/assets/47415058-7ec6-47c5-a57e-e8213433036c"; /> <img width="933" height="801" alt="Screenshot 2025-07-30 at 19 34 48" src="https://github.com/user-attachments/assets/9e503490-b243-4cad-b888-71134e561532"; /> After adding a key 'new_key' to the extra and saving this is what we get in the UI: <img width="1055" height="845" alt="Screenshot 2025-07-30 at 19 35 44" src="https://github.com/user-attachments/assets/57a092e4-b154-46b2-9187-b599e80bfda1"; /> And from the CLI we can see that both password, and extra redacted field were preserved: <img width="1886" height="186" alt="Screenshot 2025-07-30 at 19 36 10" src="https://github.com/user-attachments/assets/70df3ba2-039f-4f5d-99ca-fa25cafe3ffb"; /> The only downside is that we cannot 'insert' a real '***' for redacted value because this is how we detect that the value didn't change. I think it's a fair limitation, '***' shouldn't never be a valid value for a sensitive field anyway. @ashb is working on a follow up PR to instead use unicode characters that looks like '***' but are not, to make it even less likely that it will be blocking for users. (They would have to chose a very weird value for their secret). Another example, it also handle well arrays: <img width="1102" height="721" alt="Screenshot 2025-07-30 at 19 38 58" src="https://github.com/user-attachments/assets/becdd7e1-ef62-4ce1-8f3e-fc477bf17e7d"; /> <img width="1077" height="914" alt="Screenshot 2025-07-30 at 19 39 14" src="https://github.com/user-attachments/assets/1717a557-bbd3-4b63-90bc-db8acd249777"; /> password1 and password3 value in the array are retained. <img width="1896" height="240" alt="Screenshot 2025-07-30 at 19 39 31" src="https://github.com/user-attachments/assets/ecb406ac-4af9-4f2c-97ca-27ca0f80c9a0"; /> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
