This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch v3-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v3-0-test by this push:
new 30f51d3969f [v3-0-test] Clarify our security model for sensitive
connection information (#54088) (#54100)
30f51d3969f is described below
commit 30f51d3969f60854dcd07bd50e7d7753a0bf1d37
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Mon Aug 4 19:22:09 2025 +0200
[v3-0-test] Clarify our security model for sensitive connection information
(#54088) (#54100)
The #53973 introduced a change in the model of handling of the
sensitive connection data in the Airlfow UI. Previoiusly our agreed
model included capability of reading sensitive data bu the users who
have Connection Configuraiton role. However in 3.0.4 we changeed the
model so that those users have "write-only" access - they can write
the sensitive data, but they cannot read the data via API or the UI
once it is written. WHile not a security vulnerability on it's own,
it's a security improvement that allows to mitigate some scenarios,
especially when connection editing user credentials are stolen.
This PR clarifies the model and properly communicates it to the users
clearly indicating the difference implemented in 3.0.4 and the model
of our security and clearly explaining that before 3.0.4 that was a
delibearate choice of the model that the connection editing users
had access to the sensitive data.
(cherry picked from commit f5a88d97eb791194a5bad66a1c5021abdd1fb775)
Co-authored-by: Jarek Potiuk <[email protected]>
---
airflow-core/docs/security/security_model.rst | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/airflow-core/docs/security/security_model.rst
b/airflow-core/docs/security/security_model.rst
index 3aed408cab5..78f0090336c 100644
--- a/airflow-core/docs/security/security_model.rst
+++ b/airflow-core/docs/security/security_model.rst
@@ -115,9 +115,9 @@ Connection configuration users
..............................
They configure connections and potentially execute code on workers during DAG
execution. Trust is
-required to prevent misuse of these privileges. They have full access
-to sensitive credentials stored in connections and can modify them.
-Access to sensitive information through connection configuration
+required to prevent misuse of these privileges. They have full write-only
access
+to sensitive credentials stored in connections and can modify them, but cannot
view them.
+Access to write sensitive information through connection configuration
should be trusted not to be abused. They also have the ability to configure
connections wrongly
that might create a API Server Denial of Service situations and specify
insecure connection options
which might create situations where executing dags will lead to arbitrary
Remote Code Execution
@@ -125,6 +125,15 @@ for some providers - either community released or custom
ones.
Those users should be highly trusted not to misuse this capability.
+.. note::
+
+ Before Airflow 3, the **Connection configuration users** role had also
access to view the sensitive information this has
+ been changed in Airflow 3 to improve security of the accidental spilling of
credentials of the connection configuration
+ users. Previously - in Airflow 2 - the **Connection configuration users**
had deliberately access to view the
+ sensitive information and could either reveal it by using Inspect
capabilities of the browser or they were plain visible in
+ case of the sensitive credentials stored in configuration extras. Airflow 3
and later versions include security
+ improvement to mask those sensitive credentials at the API level.
+
Audit log users
...............
