ashb commented on code in PR #66608:
URL: https://github.com/apache/airflow/pull/66608#discussion_r3461091808
##########
airflow-core/src/airflow/api_fastapi/execution_api/routes/connections.py:
##########
@@ -49,15 +54,19 @@ async def has_connection_access(
router = APIRouter(
+ route_class=ExecutionAPIRoute,
responses={status.HTTP_404_NOT_FOUND: {"description": "Connection not
found"}},
- dependencies=[Depends(has_connection_access)],
)
log = logging.getLogger(__name__)
@router.get(
"/{connection_id}",
+ dependencies=[
+ Security(require_auth, scopes=["token:execution", "token:workload"]),
Review Comment:
@seanghaeli I'm sorry I didn't catch this earlier, but this change is
regression on security, so this part at least (if not the entire PR?) needs
reverting.
`token:workload` is essentially used for long-lived tokens (~24hrs) when the
TI is in queued state between the executor Queueing the task, where a worker
calls the ti `/run` endpoint to exchange it for a short lived (5-10mins) token
that has more permissions.
This primary driver for this change was to make the tokens that are visible
via workers (either in the Celery message bus, or in the KE pod spec itself)
only useable once (i.e. can't be replayed, handled by the TI state transiation
requirements) and for a single thing (just for calling the run endpoint)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
