[GitHub] [airflow] mluscon opened a new issue #21487: Requiring sudo privilages

Thu, 10 Feb 2022 02:40:30 -0800 


mluscon opened a new issue #21487:
URL: https://github.com/apache/airflow/issues/21487


   ### Apache Airflow version
   
   2.2.3 (latest released)
   
   ### What happened
   
   If airflow worker process is run under non-root user and a dag contains 
run_as statement, airflow calls "sudo chmod" during the creation of tmp files. 
The following code snippet comes from 
/[airflow](https://github.com/apache/airflow/tree/main/airflow)/[task](https://github.com/apache/airflow/tree/main/airflow/task)/[task_runner](https://github.com/apache/airflow/tree/main/airflow/task/task_runner)/base_task_runner.py
 .
   ```
           if self.run_as_user and (self.run_as_user != getuser()):
               # We want to include any environment variables now, as we won't
               # want to have to specify them in the sudo call - they would show
               # up in `ps` that way! And run commands now, as the other user
               # might not be able to run the cmds to get credentials
               cfg_path = tmp_configuration_copy(chmod=0o600, include_env=True, 
include_cmds=True)
   
               # Give ownership of file to user; only they can read and write
               subprocess.check_call(
                   ['sudo', 'chown', self.run_as_user, cfg_path, 
self._error_file.name], close_fds=True
               )
   
               # propagate PYTHONPATH environment variable
               pythonpath_value = os.environ.get(PYTHONPATH_VAR, '')
               popen_prepend = ['sudo', '-E', '-H', '-u', self.run_as_user]
   ```
   Calling `sudo chown` in subprocess actually requires airflow process user to 
be able to sudo to root which averts the main point of running airflow worker 
process as a non-root user. I would therefore propose to allow run_as_user read 
and write by setting facl attributes of tmp file accordingly. 
   
   Will you be willing to accept a PR addressing this issue via setfacl?
   
   ### What you expected to happen
   
   _No response_
   
   ### How to reproduce
   
   _No response_
   
   ### Operating System
   
   Linux
   
   ### Versions of Apache Airflow Providers
   
   _No response_
   
   ### Deployment
   
   Docker-Compose
   
   ### Deployment details
   
   _No response_
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [X] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to