> That would certainly help a bit, but unfortunately it's not just the > packages. It's the fact that authentication is tied to Python code that can > be patched by anyone with permission to execute code on the web server, which > in turn would give them access to packages or any anything else they'd like.
But in Airflow 2.0 the code provided by "DAG writers" is not executed any more. This is entirely gone together with Airflow 1.10. This has been handled by DAG serialization, which is the only option available in 2.0. I do not see how the "Users" could add any code if "Admins" control the packages that are installed in the webserver. Now if Admin/User is the only problem then I think this is really misunderstanding coming from the pre-DAG-serialization world of Apache Airflow. J.
