fzhsbc commented on code in PR #18278: URL: https://github.com/apache/dolphinscheduler/pull/18278#discussion_r3331448766
########## docs/docs/en/contribute/backend/spi/task.md: ########## @@ -15,3 +15,15 @@ In additional, the `TaskChannelFactory` extends from `PrioritySPI`, this means y Since the task plug-in involves the front-end page, the front-end SPI has not yet been implemented, so you need to implement the front-end page corresponding to the plug-in separately. If there is a class conflict in the task plugin, you can use [Shade-Relocating Classes](https://maven.apache.org/plugins/maven-shade-plugin/) to solve this problem. + +#### Runtime credentials for task plugins + +Some task plugins need to access external systems using short-lived credentials. A plugin should avoid storing long-lived credentials in task parameters and should avoid printing credentials in task logs. + +Recommended practice: + +- Use the task execution context, such as project, workflow, task instance, data source, tenant, and worker group, when requesting runtime credentials from an external authorization service. +- Pass short-lived credentials to the task process through environment variables or temporary files with restricted file permissions. +- Mask sensitive values before logging command lines, environment variables, or generated configuration files. +- Remove temporary credential files after task completion or cancellation. +- Keep external data authorization in the external system. DolphinScheduler should provide task context and execution lifecycle, while the external system validates and enforces data permissions. Review Comment: Thanks for the feedback. The motivation was a real deployment pattern where DolphinScheduler tasks need short-lived credentials for external systems, while the DolphinScheduler tenant is only the execution/resource identity and should not be described as the fine-grained authorization principal for those systems. That said, I agree the added SPI guidance may be too broad for this page and can look unrelated without a concrete task plugin implementation. I can narrow this PR to only clarify the tenant/security boundary in the security guide, and remove the task SPI additions if that is the preferred scope. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
