Copilot commented on code in PR #18278:
URL: 
https://github.com/apache/dolphinscheduler/pull/18278#discussion_r3285302729


##########
docs/docs/en/contribute/backend/spi/task.md:
##########
@@ -15,3 +15,15 @@ In additional, the `TaskChannelFactory` extends from 
`PrioritySPI`, this means y
 Since the task plug-in involves the front-end page, the front-end SPI has not 
yet been implemented, so you need to implement the front-end page corresponding 
to the plug-in separately.
 
 If there is a class conflict in the task plugin, you can use [Shade-Relocating 
Classes](https://maven.apache.org/plugins/maven-shade-plugin/) to solve this 
problem.
+
+#### Runtime credentials for task plugins
+
+Some task plugins need to access external systems using short-lived 
credentials. A plugin should avoid storing long-lived credentials in task 
parameters and should avoid printing credentials in task logs.
+
+Recommended practice:
+
+- Use the task execution context, such as project, workflow, task instance, 
datasource, tenant, and worker group, when requesting runtime credentials from 
an external authorization service.

Review Comment:
   The new bullet uses “datasource”, but other docs typically refer to this 
concept as “data source”. Please standardize the term here (and clarify if you 
mean DolphinScheduler’s DataSource entity vs a generic external data source) to 
avoid ambiguity for plugin authors.
   



##########
docs/docs/en/guide/security/security.md:
##########
@@ -25,6 +25,12 @@ Administrator login, default username/password: 
admin/dolphinscheduler123
 
 ![create-tenant](../../../../img/new_ui/dev/security/create-tenant.png)
 
+### Tenant boundary and external data permissions
+
+The tenant code is used by the Worker as the execution identity, for example 
the Linux user that runs a task process. It is an execution resource boundary 
in DolphinScheduler. Fine-grained permissions for external systems such as 
databases, object stores, data catalogs, or lakehouse tables should be 
validated and enforced by those external systems.
+
+Do not treat the tenant code alone as a user-level data permission principal 
for external systems. If a task needs short-lived external credentials, bind 
those credentials to auditable task context such as the project, workflow, task 
instance, datasource, tenant, and worker group, and avoid storing long-lived 
credentials in task definitions.

Review Comment:
   In this doc, the term is used elsewhere as “data source(s)” (two words). The 
newly added “datasource” in the context list is inconsistent and may confuse 
readers—please standardize the terminology (e.g., “data source” or “data source 
(Datasource)” if referring to the DolphinScheduler entity).
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to