potiuk commented on code in PR #60278: URL: https://github.com/apache/airflow/pull/60278#discussion_r2674397652
########## task-sdk/src/airflow/sdk/execution_time/task_runner.py: ########## @@ -755,6 +755,46 @@ def parse(what: StartupDetails, log: Logger) -> RuntimeTaskInstance: # 3. Shutdown and report status +def _check_bundle_permissions_for_impersonation( + bundle_instance: BaseDagBundle, run_as_user: str, log: structlog.stdlib.BoundLogger +) -> None: + """ + Check if bundle directories have appropriate permissions for user impersonation. + + When tasks run as a different user via run_as_user, the bundle directories and + files need to be accessible by that user. This function warns if the permissions + don't appear to allow group access, which is typically needed for impersonation. + + :param bundle_instance: The bundle instance to check + :param run_as_user: The user that the task will run as + :param log: Logger instance for warnings + """ + import stat + + try: + bundle_path = bundle_instance.path + if not bundle_path.exists(): + return + + st = bundle_path.stat() + mode = st.st_mode + + # Check if group-readable and group-executable (for directories) + if not (mode & stat.S_IRGRP) or (bundle_path.is_dir() and not (mode & stat.S_IXGRP)): Review Comment: Should we just check if we have permissions there? Wile there are some guidelines on how group/ permissions shouldl look like, there are other ways it can be achieved to give those permissions - so I think what we should check here is whether we simply have access and error out if we don't rather than raise warning. In some cases, it might not be desirable to follow those guidelines even if impersonation is used. And in this case users will not be able to get rid of this warning. Instead if we can simply check if we "actually" have acess to those dirs with `os.access()` we can produce a nice error message if we don't. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
