(airflow) branch v2-10-test updated: Clarifying PLUGINS_FOLDER permissions by DAG authors (#43022) (#43029)

Wed, 16 Oct 2024 10:48:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v2-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v2-10-test by this push:
     new fa2cec5f305 Clarifying PLUGINS_FOLDER permissions by DAG authors 
(#43022) (#43029)
fa2cec5f305 is described below

commit fa2cec5f3052377a0ea474ea05d838e90fbe3bfd
Author: Jarek Potiuk <[email protected]>
AuthorDate: Wed Oct 16 19:47:49 2024 +0200

    Clarifying PLUGINS_FOLDER permissions by DAG authors (#43022) (#43029)
    
    (cherry picked from commit c471c31111958f0a4dde775f559d5c606f3149a8)
    
    Co-authored-by: Amogh Desai <[email protected]>
---
 docs/apache-airflow/security/security_model.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/apache-airflow/security/security_model.rst 
b/docs/apache-airflow/security/security_model.rst
index 0181710bda9..ebe1b35c54f 100644
--- a/docs/apache-airflow/security/security_model.rst
+++ b/docs/apache-airflow/security/security_model.rst
@@ -212,12 +212,15 @@ DAG author to choose the code that will be executed in 
the scheduler or webserve
 should not be arbitrary code that DAG author can add in DAG folder. All those 
functionalities are
 only available via ``plugins`` and ``providers`` mechanisms where the code 
that is executed can only be
 provided by installed packages (or in case of plugins it can also be added to 
PLUGINS folder where DAG
-authors should not have write access to). PLUGINS FOLDER is a legacy mechanism 
coming from Airflow 1.10
+authors should not have write access to). PLUGINS_FOLDER is a legacy mechanism 
coming from Airflow 1.10
 - but we recommend using entrypoint mechanism that allows the Deployment 
Manager to - effectively -
 choose and register the code that will be executed in those contexts. DAG 
Author has no access to
 install or modify packages installed in Webserver and Scheduler, and this is 
the way to prevent
 the DAG Author to execute arbitrary code in those processes.
 
+Additionally, if you decide to utilize and configure the PLUGINS_FOLDER, it is 
essential for the Deployment
+Manager to ensure that the DAG author does not have write access to this 
folder.
+
 The Deployment Manager might decide to introduce additional control mechanisms 
to prevent DAG authors from
 executing arbitrary code. This is all fully in hands of the Deployment Manager 
and it is discussed in the
 following chapter.

Reply via email to