This is an automated email from the ASF dual-hosted git repository.
vatsrahul1001 pushed a commit to branch v3-2-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v3-2-test by this push:
new 74c1be67036 [v3-2-test] Warn against world-accessible Kerberos ccache
default in docs (#66557) (#67085)
74c1be67036 is described below
commit 74c1be67036aacc8b2db5b4543cdb486e304a568
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Mon May 18 11:31:57 2026 +0530
[v3-2-test] Warn against world-accessible Kerberos ccache default in docs
(#66557) (#67085)
The Kerberos integration docs ship a default ccache path of
`/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on
most Unix systems and would let any other local user on the host read
or modify the Airflow service principal's credential cache.
Add a warning recommending a non-world-accessible directory (a per-service
runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped
location) and `chmod 0700` on the parent — mirroring the guidance the
docs already give for the keytab.
Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175).
(cherry picked from commit da03584282c2e708c655c55fc07ccf9490a38a62)
Co-authored-by: Jarek Potiuk <[email protected]>
---
airflow-core/docs/security/kerberos.rst | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/airflow-core/docs/security/kerberos.rst
b/airflow-core/docs/security/kerberos.rst
index 38c77d5a66c..6de9b65e161 100644
--- a/airflow-core/docs/security/kerberos.rst
+++ b/airflow-core/docs/security/kerberos.rst
@@ -91,6 +91,16 @@ If you need more granular options for your Kerberos ticket
the following options
# This is particularly useful if you use Airflow inside a VM NATted behind
host system IP.
include_ip = True
+.. warning::
+
+ The default ``ccache`` location ``/tmp/airflow_krb5_ccache`` is in a
world-readable directory on most
+ Unix systems, which means other local users on the same host could read or
modify the Kerberos
+ credential cache and impersonate the Airflow service principal. In
production deployments, point
+ ``ccache`` at a directory only the Airflow service account can access —
for example a per-service
+ runtime directory like ``/run/airflow/krb5_ccache`` (or
``/var/lib/airflow/krb5_ccache``) created
+ with mode ``0700`` and owned by the Airflow user. Apply the same principle
as the keytab, which
+ should already be ``chmod 600``.
+
Keep in mind that Kerberos ticket are generated via ``kinit`` and will your
use your local ``krb5.conf`` by default.
Launch the ticket renewer by
