[PR] edge3: bind team_name into worker JWT (defense-in-depth for experimental multi-team) [airflow]

Sat, 23 May 2026 19:32:11 -0700 


omkhar opened a new pull request, #67397:
URL: https://github.com/apache/airflow/pull/67397

   Supplements #66718 (which clarified `WorkerQueuesBase.team_name` is an 
experimental hint).
   
   Defense-in-depth for the experimental edge3 multi-team feature. Worker 
`team_name` is currently sent in request bodies only and trusted by the server. 
This PR binds `team_name` into the JWT at issue time and rejects requests where 
the body's `team_name` disagrees with the JWT's. Legacy pre-team-claim workers 
(no `team_name` claim in the JWT) keep the current body-only path for backwards 
compatibility.
   
   ### What changes
   - `worker_api/auth.py` — include `team_name` in the issued JWT claims at 
registration; `jwt_token_authorization` returns the validated payload (with the 
JWT-bound `team_name`) for downstream comparison.
   - `worker_api/routes/jobs.py`, `worker_api/routes/worker.py` — compare 
`body.team_name` to the JWT-bound `team_name`; reject with 403 on mismatch; 
fall back to body-only when no JWT claim (legacy backcompat).
   - `cli/api_client.py` — small alignment so the worker-side path produces a 
`team_name` consistent with what the server now binds.
   - Tests: 4-case validation in `test_jobs.py` / `test_worker.py` —
     1. Cross-team rejected (403).
     2. JWT team used when body omits `team_name`.
     3. Legitimate match succeeds.
     4. Legacy backcompat path (no JWT claim) still works.
   
   ### What does NOT change
   The Execution API's team-isolation contract is unchanged. It remains 
documented as experimental and is not enforced cross-team — see 
`airflow-core/docs/security/workload.rst` section "No team-level isolation in 
Execution API (experimental multi-team feature)". This PR closes a specific 
JWT-vs-body-mismatch gap ahead of the future team-isolation work referenced in 
that document.
   
   No new APIs, no behavior change for single-team / no-team setups, no schema 
migrations.
   
   ### Notes
   - Sibling to #66718 (docstring + cross-ref alignment). The two are 
independent merges; #66718 has already merged at `cb2aaf4`.
   - Branch is behind main; happy to rebase once reviewers have eyes on it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to