This is an automated email from the ASF dual-hosted git repository.
eladkal pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 09b8b06c54 Add "security infrastructure" paragraph to security model
(#34301)
09b8b06c54 is described below
commit 09b8b06c54d54efde8750dcdc0983b391c01cd2b
Author: Jarek Potiuk <[email protected]>
AuthorDate: Tue Sep 12 12:19:19 2023 +0200
Add "security infrastructure" paragraph to security model (#34301)
Making clear that Deployment Manger is responsible for setting up
the right infrastructure to apply some security expectations that
organisations might have when deploying applications on premises
or in their clouds.
---
docs/apache-airflow/security/security_model.rst | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/docs/apache-airflow/security/security_model.rst
b/docs/apache-airflow/security/security_model.rst
index 0e22674acb..4030bf1c9f 100644
--- a/docs/apache-airflow/security/security_model.rst
+++ b/docs/apache-airflow/security/security_model.rst
@@ -98,7 +98,21 @@ For more information on the capabilities of authenticated UI
users, see :doc:`/s
Responsibilities of Deployment Managers
---------------------------------------
-Deployment Managers determine access levels and must understand the potential
+Deployment Managers are responsible for deploying airflow and make it
accessible to the users
+in the way that follows best practices of secure deployment applicable to the
organization where
+Airflow is deployed. This includes but is not limited to:
+
+* protecting communication using TLS/VPC and whatever network security is
required by the organization
+ that is deploying Airflow
+* applying rate-limiting and other forms of protections that is usually
applied to web applications
+* applying authentication and authorization to the web application so that
only known and authorized
+ users can have access to Airflow
+* any kind of detection of unusual activity and protection against it
+
+Airflow does not implement any of those feature natively, and delegates it to
the deployment managers
+to deploy all the necessary infrastructure to protect the deployment - as
external infrastructure components.
+
+Deployment Managers also determine access levels and must understand the
potential
damage users can cause. Some Deployment Managers may further limit
access through fine-grained privileges for the **Authenticated UI
users**. However, these limitations are outside the basic Airflow's
