Dev-iL commented on code in PR #60278: URL: https://github.com/apache/airflow/pull/60278#discussion_r2679474726
########## task-sdk/src/airflow/sdk/execution_time/task_runner.py: ########## @@ -755,6 +755,46 @@ def parse(what: StartupDetails, log: Logger) -> RuntimeTaskInstance: # 3. Shutdown and report status +def _check_bundle_permissions_for_impersonation( + bundle_instance: BaseDagBundle, run_as_user: str, log: structlog.stdlib.BoundLogger +) -> None: + """ + Check if bundle directories have appropriate permissions for user impersonation. + + When tasks run as a different user via run_as_user, the bundle directories and + files need to be accessible by that user. This function warns if the permissions + don't appear to allow group access, which is typically needed for impersonation. + + :param bundle_instance: The bundle instance to check + :param run_as_user: The user that the task will run as + :param log: Logger instance for warnings + """ + import stat + + try: + bundle_path = bundle_instance.path + if not bundle_path.exists(): + return + + st = bundle_path.stat() + mode = st.st_mode + + # Check if group-readable and group-executable (for directories) + if not (mode & stat.S_IRGRP) or (bundle_path.is_dir() and not (mode & stat.S_IXGRP)): Review Comment: Robustified via `os.access()`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
