The GitHub Actions job "Tests (AMD)" on airflow.git/backport-992e602-v3-2-test has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 44e9afe0aa17208eaa75aa11b53e9f37a111f5bf / Jarek Potiuk <[email protected]> [v3-2-test] Apply per-file authorization to dag-source endpoint (#67662) * Apply per-file authorization to dag-source endpoint A single source file can define multiple Dags. The /dagSources/{dag_id} endpoint previously returned the file's full source code as soon as the caller had CODE access to dag_id, even when the caller was not authorized to read every other Dag defined in the same file. Apply the same per-file authorization overlay already used by the import-errors endpoint (apache/airflow#65329): enumerate the Dags sharing the (relative_fileloc, bundle_name) of the requested Dag, intersect with the caller's readable Dag set, and redact the source when any co-located Dag is not readable. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * Document per-file authorization boundary for dag-source endpoint Add a Security Model subsection that describes the per-Dag read scope the dag-source retrieval endpoint enforces, and the known limitation around historical-version retrieval: the per-Dag scope is evaluated against the current file membership, which may differ from the file's contents at the time the requested version was stored. Deployments that rely on per-Dag read scoping for source isolation should keep one Dag per source file, or restrict DagAccessEntity.CODE accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> --------- (cherry picked from commit 992e602015b5e9a3fd297e18047cff9d85094c95) Co-authored-by: Jarek Potiuk <[email protected]> Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]> Report URL: https://github.com/apache/airflow/actions/runs/26993304507 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
