[GitHub] [airflow] kcphila opened a new issue #17735: Permission error for error file when run_as_user is used

Thu, 19 Aug 2021 10:20:11 -0700 


kcphila opened a new issue #17735:
URL: https://github.com/apache/airflow/issues/17735


   I'm highlighting the line of the code at issue.  When the base_task_runner 
prepares to execute the task, it opens a temporary error file AND passes the 
error file name into the task. This temp file is created with default 
permissions based on the airflow worker, so usually **airflow**.
   
   When the task is then run as another user (via `run_as_user='me'` ), _and 
the task fails_, the task attempts to handle the failure by opening and writing 
to the error file within the subprocess, which is running as the subordinate 
user and not as the airflow user. This leads to a permission error on the 
attempt to open, and before the error email is sent out, which is particularly 
bad because **when the task fails, no one is notified**.  
   
   We've temporarily gotten around this by inserting a chmod in line 88. This 
is a temporary error file that is delete when the task goes out of scope, and 
so, while ugly and inelegant, this is a simple way to avoid the identified 
problem and probably not a security risk. 
   
   ``` 
     87 self._error_file = NamedTemporaryFile(delete=True)
     +  os.chmod(self._error_file.name, 0o777)
     88 self._cfg_path = cfg_path
   ```
   
   Alternatively, it looks like the there are few uses of the error file by the 
worker, and that the worker does not write to it.  It is possible that the only 
use is in airflow.jobs.LocalTaskJob following task failure. An alternative 
solution would be to generate the temp error filename without actually creating 
the file, passing it to the subprocess as a parameter, and then opening and 
reading the file if it exists following task failure. 
   
   
https://github.com/apache/airflow/blob/e107891e65432bf1ba1200c2ca744892db6622d5/airflow/task/task_runner/base_task_runner.py#L87


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to