Clarify our security model for sensitive connection information (#54088)

potiuk · web-flow · commit f5a88d97eb79 · 2025-08-04T18:41:01.000+02:00
The #53973 introduced a change in the model of handling of the sensitive connection data in the Airlfow UI. Previoiusly our agreed model included capability of reading sensitive data bu the users who have Connection Configuraiton role. However in 3.0.4 we changeed the model so that those users have "write-only" access - they can write the sensitive data, but they cannot read the data via API or the UI once it is written. WHile not a security vulnerability on it's own, it's a security improvement that allows to mitigate some scenarios, especially when connection editing user credentials are stolen. This PR clarifies the model and properly communicates it to the users clearly indicating the difference implemented in 3.0.4 and the model of our security and clearly explaining that before 3.0.4 that was a delibearate choice of the model that the connection editing users had access to the sensitive data.
diff --git a/airflow-core/docs/security/security_model.rst b/airflow-core/docs/security/security_model.rst
@@ -115,16 +115,25 @@ Connection configuration users
 ..............................
 
 They configure connections and potentially execute code on workers during DAG execution. Trust is
-required to prevent misuse of these privileges. They have full access
-to sensitive credentials stored in connections and can modify them.
-Access to sensitive information through connection configuration
+required to prevent misuse of these privileges. They have full write-only access
+to sensitive credentials stored in connections and can modify them, but cannot view them.
+Access to write sensitive information through connection configuration
 should be trusted not to be abused. They also have the ability to configure connections wrongly
 that might create a API Server Denial of Service situations and specify insecure connection options
 which might create situations where executing dags will lead to arbitrary Remote Code Execution
 for some providers - either community released or custom ones.
 
 Those users should be highly trusted not to misuse this capability.
 
+.. note::
+
+   Before Airflow 3, the **Connection configuration users** role had also access to view the sensitive information this has
+   been changed in Airflow 3 to improve security of the accidental spilling of credentials of the connection configuration
+   users. Previously - in Airflow 2 - the **Connection configuration users** had deliberately access to view the
+   sensitive information and could either reveal it by using Inspect capabilities of the browser or they were plain visible in
+   case of the sensitive credentials stored in configuration extras. Airflow 3 and later versions include security
+   improvement to mask those sensitive credentials at the API level.
+
 Audit log users
 ...............
 
