Add the section describing the security model of DAG Author capabilities #36022
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
potiuk
requested review from
ashb,
bolkedebruin,
dstandish,
eladkal,
ephraimbuddy,
hussein-awala,
jedcunningham,
jscheffl,
kaxil,
mhenc,
o-nikolas,
pankajastro,
pankajkoti,
pierrejeambrun,
uranusjr,
vikramkoka and
vincbeck
hussein-awala
approved these changes
Dec 2, 2023
Member
There was a problem hiding this comment.
I'm working on moving the new priority weight strategy to a plugin, I will update this part once I finish my PR.
Member
Author
There was a problem hiding this comment.
Perfect :) . I was just asking in the original PR #35210
potiuk
force-pushed
the
add-explanation-about-running-dag-author-code-in-scheduler
branch
from
cc4f7b0 to
59e38a7
Compare
jscheffl
approved these changes
Dec 2, 2023
potiuk
force-pushed
the
add-explanation-about-running-dag-author-code-in-scheduler
branch
from
dafefdf to
e231047
Compare
pankajkoti
approved these changes
Dec 4, 2023
This change codifies and explains assumptions and decisions made by Airflow maintainers with regards to capabilities of DAG Authors. While DAG authors are pretty powerful and capable actors in Airflow, they cannot do everything and Deployment Managers haw ways to restrict their potential capabilities, especially in the context of influencing other tasks and common components such as Scheduler, Webserver and Triggerer. This PR adds a chapter explaining those assumptions and decisions and tell the Deployment Managers what responsibilities they have with that regardsm and what mechanismes they currently have available to limit capabilities of DAG Authors.
Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com>
Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com>
potiuk
force-pushed
the
add-explanation-about-running-dag-author-code-in-scheduler
branch
from
c2aa0ba to
f11afb8
Compare
Member
Author
|
I will merge it as is now, and we can update it later @hussein-awala :) |
potiuk
deleted the
add-explanation-about-running-dag-author-code-in-scheduler
branch
ephraimbuddy
pushed a commit
that referenced
this pull request
Dec 5, 2023
…ies (#36022) * Add the section describing the security model of DAG Author capabilities This change codifies and explains assumptions and decisions made by Airflow maintainers with regards to capabilities of DAG Authors. While DAG authors are pretty powerful and capable actors in Airflow, they cannot do everything and Deployment Managers haw ways to restrict their potential capabilities, especially in the context of influencing other tasks and common components such as Scheduler, Webserver and Triggerer. This PR adds a chapter explaining those assumptions and decisions and tell the Deployment Managers what responsibilities they have with that regardsm and what mechanismes they currently have available to limit capabilities of DAG Authors. * Update docs/apache-airflow/security/security_model.rst Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com> * Update docs/apache-airflow/security/security_model.rst Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com> --------- Co-authored-by: Pankaj Koti <pankajkoti699@gmail.com> (cherry picked from commit 395ac46)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change codifies and explains assumptions and decisions made by Airflow maintainers with regards to capabilities of DAG Authors.
While DAG authors are pretty powerful and capable actors in Airflow, they cannot do everything and Deployment Managers have ways to restrict their potential capabilities, especially in the context of influencing other tasks and common components such as Scheduler, Webserver and Triggerer.
This PR adds a chapter explaining those assumptions and decisions and tell the Deployment Managers what responsibilities they have with that regards and what mechanisms they currently have available to limit capabilities of DAG Authors.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.