[ADAP-851] [Regression] debug outputs sensitive information

[dataders]

Is this a regression in a recent version of dbt-bigquery?

• I believe this is a regression in dbt-bigquery functionality
• I have searched the existing issues, and I could not find an existing issue for this regression

Current Behavior

related: dbt-labs/dbt-snowflake#754

this change was introduced in #754 (core PR: dbt-labs/dbt-core#7741) and landed in version 1.6.0

dbt debug will return the following profile target attributes if the user has them in their profile:

• token
• client_secret
• keyfile_json

The solution is to modify BigQueryCredentials._connection_keys() (see below)

dbt-bigquery/dbt/adapters/bigquery/connections.py

Lines 174 to 194 in d7fb235

	def _connection_keys(self):
	return (
	"method",
	"database",
	"execution_project",
	"schema",
	"location",
	"priority",
	"maximum_bytes_billed",
	"impersonate_service_account",
	"job_retry_deadline_seconds",
	"job_retries",
	"job_creation_timeout_seconds",
	"job_execution_timeout_seconds",
	"keyfile",
	"keyfile_json",
	"timeout_seconds",
	"token",
	"refresh_token",
	"client_id",
	"client_secret",

._connection_keys() context

our Building a new Adapter: editing the connection manager stipulates

the Credentials’ _connection_keys method […] will return the keys that should be displayed in the output of the dbt debug command. As a general rule, it’s good to return all the arguments used in connecting to the actual database except the password (even optional arguments).

longer-term solution?

potential 2.0 work item would be to invert that current pattern and have a place to define sensitive keys that should not be printed to stdout, and by default include all others?

Expected/Previous Behavior

dbt debug will not print sensitive connection information to stdout

Steps To Reproduce

1. use dbt-bigquery version 1.6.0.
2. have a sensitive-field that isn't password defined.
3. execute dbt debug