Extend DEFAULT_SENSITIVE_FIELDS with webhook_url, bearer, dsn, auth_header, service_key#66673
Merged
vatsrahul1001 merged 1 commit intoMay 15, 2026
Merged
Conversation
DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker
for masking Variables and Connection extras. Several common field
names used by official Airflow providers and standard HTTP/database
configurations are not in the allowlist.
This commit adds five field names commonly used in connection extras
and provider configurations:
- webhook_url — Slack provider webhook URL key
- bearer — HTTP bearer-token auth key
- dsn — database connection strings (which typically embed
credentials, e.g. postgres://user:pass@host/db)
- auth_header — custom HTTP auth header values
- service_key — service-account-like keys
Related: airflow-s/airflow-s#377
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
potiuk
added
the
backport-to-v3-2-test
vatsrahul1001
approved these changes
May 12, 2026
vatsrahul1001
added
the
ready for maintainer review
amoghrajesh
reviewed
May 12, 2026
Contributor
amoghrajesh
left a comment
amoghrajesh
left a comment
There was a problem hiding this comment.
Thanks for adding this.
One thing worth considering is that providers already declare which extra fields are sensitive via "format": "password" in provider.yaml conn-fieldsand ProvidersManager already tracks this as is_sensitive=True on each ConnectionFormWidgetInfo. If we can get the secrets masker to read that and add it in, this whole process could be automated.
That way any provider that correctly declares a password field gets it masked automatically, without needing manual additions to the core allowlist.
Contributor
This can be in follow PR right @amoghrajesh ? |
amoghrajesh
approved these changes
May 13, 2026
Contributor
amoghrajesh
left a comment
amoghrajesh
left a comment
There was a problem hiding this comment.
Totally, rest for follow up
Contributor
Backport successfully created: v3-2-testNote: As of Merging PRs targeted for Airflow 3.X In matter of doubt please ask in #release-management Slack channel.
|
github-actions Bot
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
May 15, 2026
…eld names (apache#66673) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: airflow-s/airflow-s#377 (cherry picked from commit 32ac8ad) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
aws-airflow-bot
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
May 15, 2026
…eld names (apache#66673) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: airflow-s/airflow-s#377 (cherry picked from commit 32ac8ad) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
Nishieee
pushed a commit
to Nishieee/airflow
that referenced
this pull request
May 15, 2026
…pache#66673) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: https://github.com/airflow-s/airflow-s/issues/377 Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
shahar1
pushed a commit
that referenced
this pull request
May 15, 2026
…eld names (#66673) (#66991) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: https://github.com/airflow-s/airflow-s/issues/377 (cherry picked from commit 32ac8ad) Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
May 20, 2026
…eld names (#66673) (#66991) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: airflow-s/airflow-s#377 (cherry picked from commit 32ac8ad) Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
May 20, 2026
…eld names (#66673) (#66991) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: airflow-s/airflow-s#377 (cherry picked from commit 32ac8ad) Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
May 21, 2026
…eld names (#66673) (#66991) DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker for masking Variables and Connection extras. Several common field names used by official Airflow providers and standard HTTP/database configurations are not in the allowlist. This commit adds five field names commonly used in connection extras and provider configurations: - webhook_url — Slack provider webhook URL key - bearer — HTTP bearer-token auth key - dsn — database connection strings (which typically embed credentials, e.g. postgres://user:pass@host/db) - auth_header — custom HTTP auth header values - service_key — service-account-like keys Related: airflow-s/airflow-s#377 (cherry picked from commit 32ac8ad) Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DEFAULT_SENSITIVE_FIELDSis the allowlist used by the secrets masker formasking Variables and Connection extras. Several common field names used by
official Airflow providers and standard HTTP/database configurations are
not in the allowlist.
This PR adds five field names commonly used in connection extras and
provider configurations:
webhook_url— Slack provider webhook URL keybearer— HTTP bearer-token auth keydsn— database connection strings (which typically embed credentials, e.g.postgres://user:pass@host/db)auth_header— custom HTTP auth header valuesservice_key— service-account-like keysThe matcher uses case-insensitive substring matching, so e.g.
bearercoversBearer,bearer_token,auth_bearer, etc.Related: https://github.com/airflow-s/airflow-s/issues/377
Test plan
uv run --project shared/secrets_masker pytest shared/secrets_masker/tests/ -xvs— secrets-masker tests passshould_hide_value_for_key(name)returnsTruefor each of the five new field names plus substring variants (WEBHOOK_URL,slack_webhook_url,auth_bearer,AUTH_HEADER,custom_auth_header,my_service_key)Was generative AI tooling used to co-author this PR?
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions