Subham-KRLX opened a new pull request, #60154:
URL: https://github.com/apache/airflow/pull/60154
This PR implements access control for the Execution API, specifically
enforcing authorization for Variables, Connections, and XComs. This ensures
that tasks executing in multi-team environments can only access resources they
are explicitly authorized to use.
Closes: #44120
Motivation: With the introduction of the Execution API and multi-team
support, it is critical to ensure strict isolation between teams and DAG runs.
Previously, tasks might have had broader access than intended. This change adds
a security layer to the API endpoints to verify ownership before returning
sensitive data.
Changes:
Implemented
has_variable_access
to restrict variable access by team.
Implemented
has_connection_access
to restrict connection access by team.
Implemented
has_xcom_access
to restrict XCom access to the specific DAG run and task instance context.
Updated API routes to return 403 Forbidden for unauthorized requests instead
of generic errors or 404 Not Found.
Testing:
Added comprehensive unit tests in
tests/unit/api_fastapi/execution_api/versions/head/test_access_control.py
.
Verified scenarios for:
Authorized access (same team/DAG run).
Unauthorized access (different team/DAG run).
Handling of missing resources vs. unauthorized resources.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
