Re: [PR] Fix connection resolution in CLI by setting server process context in decorators [airflow]

Sun, 25 Jan 2026 04:04:12 -0800 


uplsh580 commented on PR #61036:
URL: https://github.com/apache/airflow/pull/61036#issuecomment-3796514018

   Could you please verify if this approach aligns with the project's long-term 
architectural goals regarding component isolation and database access?
   
   I believe this change is consistent with our future direction for the 
following reasons:
   
   1.  **Administrative Identity**: CLI tools are inherently administrative and 
designed for system management. Even as we move towards greater component 
isolation, these management commands require a 'Server' identity to resolve 
credentials and initialize system components effectively.
   2.  **Architectural Consistency**: This PR utilizes the existing 
`_AIRFLOW_PROCESS_CONTEXT` abstraction defined for Airflow 3. Centralizing this 
setting within the core CLI decorators ensures the correct context is 
established at the initial entry point, preventing early initialization 
failures during bundle validation.
   3.  **Security Isolation**: Importantly, this does not compromise the 
isolation of user code. The actual task execution and DAG parsing remain 
strictly restricted, as the Task SDK's Supervisor and the DAG processor 
explicitly override the context to `client` for child processes to prevent 
inheriting server privileges:
       *   
[airflow-core/src/airflow/dag_processing/processor.py#L180-L183](https://github.com/apache/airflow/blob/0cf89fa362e72898b718fe6ff2fc8caa0b4ba45f/airflow-core/src/airflow/dag_processing/processor.py#L180-L183)
       *   
[task-sdk/src/airflow/sdk/execution_time/supervisor.py#L921-L923](https://github.com/apache/airflow/blob/0cf89fa362e72898b718fe6ff2fc8caa0b4ba45f/task-sdk/src/airflow/sdk/execution_time/supervisor.py#L921-L923)
   
   Your feedback on whether this centralization is the preferred way to handle 
CLI context would be greatly appreciated.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to