Subham-KRLX opened a new issue, #60125: URL: https://github.com/apache/airflow/issues/60125
### Description The Execution API has authentication but no authorization - tasks can access ANY variable, connection, or XCom. Three TODO placeholders need implementation to enforce team-based access control. ### Use case/motivation **Security Problem:** Any authenticated task can currently access resources from any team because [has_variable_access()](cci:1://file:///Users/subhamsangwan/airflow/airflow-core/src/airflow/api_fastapi/execution_api/routes/variables.py:32:0-46:15), [has_connection_access()](cci:1://file:///Users/subhamsangwan/airflow/airflow-core/src/airflow/api_fastapi/execution_api/routes/connections.py:29:0-41:15), and [has_xcom_access()](cci:1://file:///Users/subhamsangwan/airflow/airflow-core/src/airflow/api_fastapi/execution_api/routes/xcoms.py:40:0-59:15) always return True. **What I want to achieve:** - Tasks should only access variables/connections from their DAG's team - Tasks should only access XComs from their own DAG run - Proper authorization checks in Execution API (similar to Core API) **Affected files:** - `airflow/api_fastapi/execution_api/routes/variables.py:40` - `airflow/api_fastapi/execution_api/routes/connections.py:35` - `airflow/api_fastapi/execution_api/routes/xcoms.py:50` **Proposed solution:** 1. Extract task's DAG from JWT token 2. Verify resource's team matches DAG's team 3. Allow global resources (no team) 4. Backward compatible with feature flag **Benefits:** - Security: Resource isolation - Multi-team: Team boundaries enforced - Compliance: Audit trail for access ### Related issues No ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
