potiuk commented on PR #35591: URL: https://github.com/apache/airflow/pull/35591#issuecomment-2331253067
> @potiuk Maybe we can merge this one for Airflow 3.0.0 ? Ofc dunno what the implications will be regarding UI as it will not be FAB anymore, but I'm willing to help there also if needed. I am not opposed but there is a change that would be required to be backported to Airflow 2 for that one two work (with select field not supported there) and I am not sure if we want to do it **this** way with FAB components being exposed via connection. I'd say that one looks like a great candidate to implement as "Airflow-3 feature only" once we know how connection definition will look like for providers in Airlfow 3 react-ui world. Also there are certain security implications here that we have to be aware of. The "connection configuration user" has special role in Airflow's security model https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html#connection-configuration-users as such user can do considerably more "security-related" actions and some of those actions might be considered "security vulnerabilities" if it can be done by users with lower priviledges (RCE, DOS etc. - especially when we have "Test connection" feature enabled, that is very, very sensitive subject). So we should be really careful about anything that is exposed to the user who has "connection configuration" permissions. And I would not like "convenience" to trump "security" here - and by adding more features with back-compatibility with the old "code-bound" mechanism we increase the security attack surface. Adding it in "declarative based future mechanism" which presumably will be much more secure by design seems like a better ideas. CC: @jscheffl @bbovenzi @Joffreybvn - WDYT? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
