kcphila opened a new issue #17735: URL: https://github.com/apache/airflow/issues/17735
I'm highlighting the line of the code at issue. When the base_task_runner prepares to execute the task, it opens a temporary error file AND passes the error file name into the task. This temp file is created with default permissions based on the airflow worker, so usually **airflow**. When the task is then run as another user (via `run_as_user='me'` ), _and the task fails_, the task attempts to handle the failure by opening and writing to the error file within the subprocess, which is running as the subordinate user and not as the airflow user. This leads to a permission error on the attempt to open, and before the error email is sent out, which is particularly bad because **when the task fails, no one is notified**. We've temporarily gotten around this by inserting a chmod in line 88. This is a temporary error file that is delete when the task goes out of scope, and so, while ugly and inelegant, this is a simple way to avoid the identified problem and probably not a security risk. ``` 87 self._error_file = NamedTemporaryFile(delete=True) + os.chmod(self._error_file.name, 0o777) 88 self._cfg_path = cfg_path ``` Alternatively, it looks like the there are few uses of the error file by the worker, and that the worker does not write to it. It is possible that the only use is in airflow.jobs.LocalTaskJob following task failure. An alternative solution would be to generate the temp error filename without actually creating the file, passing it to the subprocess as a parameter, and then opening and reading the file if it exists following task failure. https://github.com/apache/airflow/blob/e107891e65432bf1ba1200c2ca744892db6622d5/airflow/task/task_runner/base_task_runner.py#L87 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org