(airflow) branch main updated: Clarifying PLUGINS_FOLDER permissions by DAG authors (#43022)

Tue, 15 Oct 2024 02:41:04 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new c471c31111 Clarifying PLUGINS_FOLDER permissions by DAG authors 
(#43022)
c471c31111 is described below

commit c471c31111958f0a4dde775f559d5c606f3149a8
Author: Amogh Desai <[email protected]>
AuthorDate: Tue Oct 15 15:10:52 2024 +0530

    Clarifying PLUGINS_FOLDER permissions by DAG authors (#43022)
---
 docs/apache-airflow/security/security_model.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/apache-airflow/security/security_model.rst 
b/docs/apache-airflow/security/security_model.rst
index 0181710bda..ebe1b35c54 100644
--- a/docs/apache-airflow/security/security_model.rst
+++ b/docs/apache-airflow/security/security_model.rst
@@ -212,12 +212,15 @@ DAG author to choose the code that will be executed in 
the scheduler or webserve
 should not be arbitrary code that DAG author can add in DAG folder. All those 
functionalities are
 only available via ``plugins`` and ``providers`` mechanisms where the code 
that is executed can only be
 provided by installed packages (or in case of plugins it can also be added to 
PLUGINS folder where DAG
-authors should not have write access to). PLUGINS FOLDER is a legacy mechanism 
coming from Airflow 1.10
+authors should not have write access to). PLUGINS_FOLDER is a legacy mechanism 
coming from Airflow 1.10
 - but we recommend using entrypoint mechanism that allows the Deployment 
Manager to - effectively -
 choose and register the code that will be executed in those contexts. DAG 
Author has no access to
 install or modify packages installed in Webserver and Scheduler, and this is 
the way to prevent
 the DAG Author to execute arbitrary code in those processes.
 
+Additionally, if you decide to utilize and configure the PLUGINS_FOLDER, it is 
essential for the Deployment
+Manager to ensure that the DAG author does not have write access to this 
folder.
+
 The Deployment Manager might decide to introduce additional control mechanisms 
to prevent DAG authors from
 executing arbitrary code. This is all fully in hands of the Deployment Manager 
and it is discussed in the
 following chapter.

Reply via email to