potiuk opened a new pull request, #66563: URL: https://github.com/apache/airflow/pull/66563
## Summary `SimpleAuthManager` is dev-only by design — it stores passwords in plaintext JSON, prints generated passwords to stdout/logs on first init, and provides no rotation mechanism. The class docstring says so, but nothing prevents an operator from configuring it (or leaving it as the default) in a production deployment, where the password leak becomes a real exposure. Add a heuristic check at `init()` time: if any of the following are true, the deployment shape suggests production and we emit a `log.warning`: - The SQL backend is not sqlite (Postgres or MySQL is configured). - The API host is bound to a non-local address. - The configured executor is not a Local-/Sequential-/Debug-/InProcessExecutor. None of these are conclusive on their own — a developer can configure any combination locally — but the cumulative signal is strong enough that a loud warning in startup logs is worth the false-positive cost. The warning is non-blocking; it does not refuse to start. Tests parametrise `_looks_like_production()` over each axis and assert the warning fires (or doesn't) end-to-end through `init()`. ## Reported by L3 ASVS sweep — apache/tooling-agents#23 (FINDING-039). --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
