Clarifying PLUGINS_FOLDER permissions by DAG authors (#43022) (#43029)

(cherry picked from commit c471c31) Co-authored-by: Amogh Desai <[email protected]>
apache · Oct 23, 2024 · c4ad3a0 · c4ad3a0
1 parent b9ac9f0
commit c4ad3a0
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst
@@ -212,12 +212,15 @@ DAG author to choose the code that will be executed in the scheduler or webserve
 should not be arbitrary code that DAG author can add in DAG folder. All those functionalities are
 only available via ``plugins`` and ``providers`` mechanisms where the code that is executed can only be
 provided by installed packages (or in case of plugins it can also be added to PLUGINS folder where DAG
-authors should not have write access to). PLUGINS FOLDER is a legacy mechanism coming from Airflow 1.10
+authors should not have write access to). PLUGINS_FOLDER is a legacy mechanism coming from Airflow 1.10
 - but we recommend using entrypoint mechanism that allows the Deployment Manager to - effectively -
 choose and register the code that will be executed in those contexts. DAG Author has no access to
 install or modify packages installed in Webserver and Scheduler, and this is the way to prevent
 the DAG Author to execute arbitrary code in those processes.
 
+Additionally, if you decide to utilize and configure the PLUGINS_FOLDER, it is essential for the Deployment
+Manager to ensure that the DAG author does not have write access to this folder.
+
 The Deployment Manager might decide to introduce additional control mechanisms to prevent DAG authors from
 executing arbitrary code. This is all fully in hands of the Deployment Manager and it is discussed in the
 following chapter.