Dev-iL commented on code in PR #60278:
URL: https://github.com/apache/airflow/pull/60278#discussion_r2677482790
##########
task-sdk/src/airflow/sdk/execution_time/task_runner.py:
##########
@@ -755,6 +755,46 @@ def parse(what: StartupDetails, log: Logger) ->
RuntimeTaskInstance:
# 3. Shutdown and report status
+def _check_bundle_permissions_for_impersonation(
+ bundle_instance: BaseDagBundle, run_as_user: str, log:
structlog.stdlib.BoundLogger
+) -> None:
+ """
+ Check if bundle directories have appropriate permissions for user
impersonation.
+
+ When tasks run as a different user via run_as_user, the bundle directories
and
+ files need to be accessible by that user. This function warns if the
permissions
+ don't appear to allow group access, which is typically needed for
impersonation.
+
+ :param bundle_instance: The bundle instance to check
+ :param run_as_user: The user that the task will run as
+ :param log: Logger instance for warnings
+ """
+ import stat
+
+ try:
+ bundle_path = bundle_instance.path
+ if not bundle_path.exists():
+ return
+
+ st = bundle_path.stat()
+ mode = st.st_mode
+
+ # Check if group-readable and group-executable (for directories)
+ if not (mode & stat.S_IRGRP) or (bundle_path.is_dir() and not (mode &
stat.S_IXGRP)):
Review Comment:
Agreed - there are multiple ways to grant permissions and the current check
is too specific. We can move the check to after impersonation and use
`os.access()` to fail fast with a clear error message.
The AI suggested the following helper method:
```python
def _verify_bundle_access_after_impersonation(
bundle_instance: BaseDagBundle, log: structlog.stdlib.BoundLogger
) -> None:
"""
Verify bundle is accessible after user impersonation.
Called AFTER switching to the impersonated user to ensure the bundle
is actually accessible. This is better than pre-checking permissions
because it works with any permission scheme (ACLs, SELinux, etc.).
:param bundle_instance: The bundle instance to check
:param log: Logger instance
: raises: AirflowException if bundle is not accessible
"""
import os
from airflow.exceptions import AirflowException
try:
bundle_path = bundle_instance.path
# Actually try to access the bundle
if not os.access(bundle_path, os.R_OK):
raise AirflowException(
f"Bundle path {bundle_path} is not readable by user
{os.getlogin()}. "
f"When using run_as_user with DAG bundles, ensure bundle
directories "
f"are accessible. Options:\n"
f"1. Use group permissions: Set bundle files/dirs to
group-readable "
f" and ensure Airflow user and impersonated users share a
group\n"
f"2. Configure bundle permissions in airflow.cfg:\n"
f" [dag_processor]\n"
f" dag_bundle_new_folder_permissions = 0o775\n"
f" dag_bundle_new_file_permissions = 0o664\n"
f"3. Use ACLs or other filesystem permissions mechanisms\n"
f"See: https://airflow.apache.org/docs/.
../dag-bundles-impersonation. html"
)
if bundle_path.is_dir() and not os.access(bundle_path, os.X_OK):
raise AirflowException(
f"Bundle path {bundle_path} is not executable by user
{os.getlogin()}. "
f"Directories need execute permission to access their
contents. "
f"See:
https://airflow.apache.org/docs/.../dag-bundles-impersonation.html";
)
except AirflowException:
raise
except Exception as e:
log.warning(f"Could not verify bundle access after impersonation:
{e}")
```
How does that sound?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
