This is an automated email from the ASF dual-hosted git repository. ephraimanierobi pushed a commit to branch v2-7-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit a14177141f51c532f27b1e08b7c79e0694b46e9f Author: Jarek Potiuk <[email protected]> AuthorDate: Wed Aug 30 19:54:11 2023 +0200 Clarify that DAG authors can also run code in DAG File Processor (#33920) * Clarify that DAG authors can also run code in DAG File Processor Small addition to our security model - it was not entirely clear that DAG authors can also execute code in DAG File Processor and that DAG File Processor can be run in standalone mode effectively physically separating machines where scheduler is run and where the code modified by DAG authors gets parsed. Co-authored-by: Ephraim Anierobi <[email protected]> (cherry picked from commit 1dc6ba05581dba349f0b81163263ad6b0fa18b06) --- docs/apache-airflow/security/security_model.rst | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index addb69e882..0e22674acb 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -41,9 +41,13 @@ varying access and capabilities: model. 2. **DAG Authors**: They can upload, modify, and delete DAG files. The - code in DAG files is executed on workers. Therefore, DAG authors can create - and change code executed on workers and potentially access the credentials - that DAG code uses to access external systems. DAG Authors have full access + code in DAG files is executed on workers and in the DAG File Processor. Note + that in the simple deployment configuration, parsing DAGs is executed as + a subprocess of the Scheduler process, but with Standalone DAG File Processor + deployment managers might separate parsing DAGs from the Scheduler process. + Therefore, DAG authors can create and change code executed on workers + and the DAG File Processor and potentially access the credentials that the DAG + code uses to access external systems. DAG Authors have full access to the metadata database and internal audit logs. 3. **Authenticated UI users**: They have access to the UI and API. See below
