This is an automated email from the ASF dual-hosted git repository. ephraimanierobi pushed a commit to branch v2-8-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit e2ec0b83d362ccf5975892f943b0ba9e0491629d Author: Jarek Potiuk <[email protected]> AuthorDate: Sun Feb 25 15:09:05 2024 +0100 Update security model to clarify Connection Editing user's capabilities (#37688) While we already mentioned and explained in a number of places that connection editing is dangeerous, we should explicitly menion that misconfiguring of connections might lead to RCE situations and that this is not preventable - and that connection editing users should be highly trusted. (cherry picked from commit 8658c22f4b6523debfe1882d4bdc078abb4a1df3) --- docs/apache-airflow/security/security_model.rst | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index 5dd21a31be..2e0f156dfc 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -121,9 +121,12 @@ They configure connections and potentially execute code on workers during DAG ex required to prevent misuse of these privileges. They have full access to sensitive credentials stored in connections and can modify them. Access to sensitive information through connection configuration -should be trusted not to be abused. They also have the ability to -create a Webserver Denial of Service situation and should be trusted -not to misuse this capability. +should be trusted not to be abused. They also have the ability to configure connections wrongly +that might create a Webserver Denial of Service situations and specify insecure connection options +which might create situations where executing DAGs will lead to arbitrary Remote Code Execution +for some providers - either community released or custom ones. + +Those users should be highly trusted not to misuse this capability. Audit log users ...............
