From ff1b06356a06c99641d12837eeb046ea3d1cc405 Mon Sep 17 00:00:00 2001 From: Amogh Desai Date: Tue, 15 Oct 2024 15:10:52 +0530 Subject: [PATCH] Clarifying PLUGINS_FOLDER permissions by DAG authors (#43022) (cherry picked from commit c471c31111958f0a4dde775f559d5c606f3149a8) --- docs/apache-airflow/security/security_model.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index 0181710bda9dc..ebe1b35c54fab 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -212,12 +212,15 @@ DAG author to choose the code that will be executed in the scheduler or webserve should not be arbitrary code that DAG author can add in DAG folder. All those functionalities are only available via ``plugins`` and ``providers`` mechanisms where the code that is executed can only be provided by installed packages (or in case of plugins it can also be added to PLUGINS folder where DAG -authors should not have write access to). PLUGINS FOLDER is a legacy mechanism coming from Airflow 1.10 +authors should not have write access to). PLUGINS_FOLDER is a legacy mechanism coming from Airflow 1.10 - but we recommend using entrypoint mechanism that allows the Deployment Manager to - effectively - choose and register the code that will be executed in those contexts. DAG Author has no access to install or modify packages installed in Webserver and Scheduler, and this is the way to prevent the DAG Author to execute arbitrary code in those processes. +Additionally, if you decide to utilize and configure the PLUGINS_FOLDER, it is essential for the Deployment +Manager to ensure that the DAG author does not have write access to this folder. + The Deployment Manager might decide to introduce additional control mechanisms to prevent DAG authors from executing arbitrary code. This is all fully in hands of the Deployment Manager and it is discussed in the following chapter.