[airflow] branch main updated: Clarify that DAG authors can also run code in DAG File Processor (#33920)

Wed, 30 Aug 2023 10:54:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 1dc6ba0558 Clarify that DAG authors can also run code in DAG File 
Processor (#33920)
1dc6ba0558 is described below

commit 1dc6ba05581dba349f0b81163263ad6b0fa18b06
Author: Jarek Potiuk <[email protected]>
AuthorDate: Wed Aug 30 19:54:11 2023 +0200

    Clarify that DAG authors can also run code in DAG File Processor (#33920)
    
    * Clarify that DAG authors can also run code in DAG File Processor
    
    Small addition to our security model - it was not entirely clear
    that DAG authors can also execute code in DAG File Processor and
    that DAG File Processor can be run in standalone mode effectively
    physically separating machines where scheduler is run and where
    the code modified by DAG authors gets parsed.
    
    
    Co-authored-by: Ephraim Anierobi <[email protected]>
---
 docs/apache-airflow/security/security_model.rst | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/apache-airflow/security/security_model.rst 
b/docs/apache-airflow/security/security_model.rst
index addb69e882..0e22674acb 100644
--- a/docs/apache-airflow/security/security_model.rst
+++ b/docs/apache-airflow/security/security_model.rst
@@ -41,9 +41,13 @@ varying access and capabilities:
    model.
 
 2. **DAG Authors**: They can upload, modify, and delete DAG files. The
-   code in DAG files is executed on workers. Therefore, DAG authors can create
-   and change code executed on workers and potentially access the credentials
-   that DAG code uses to access external systems. DAG Authors have full access
+   code in DAG files is executed on workers and in the DAG File Processor. Note
+   that in the simple deployment configuration, parsing DAGs is executed as
+   a subprocess of the Scheduler process, but with Standalone DAG File 
Processor
+   deployment managers might separate parsing DAGs from the Scheduler process.
+   Therefore, DAG authors can create and change code executed on workers
+   and the DAG File Processor and potentially access the credentials that the 
DAG
+   code uses to access external systems. DAG Authors have full access
    to the metadata database and internal audit logs.
 
 3. **Authenticated UI users**: They have access to the UI and API. See below

Reply via email to