Skip to content

Commit

Permalink
Clarifying PLUGINS_FOLDER permissions by DAG authors (apache#43022)
Browse files Browse the repository at this point in the history
  • Loading branch information
amoghrajesh authored Oct 15, 2024
1 parent 6c9c327 commit c471c31
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion docs/apache-airflow/security/security_model.rst
Original file line number Diff line number Diff line change
Expand Up @@ -212,12 +212,15 @@ DAG author to choose the code that will be executed in the scheduler or webserve
should not be arbitrary code that DAG author can add in DAG folder. All those functionalities are
only available via ``plugins`` and ``providers`` mechanisms where the code that is executed can only be
provided by installed packages (or in case of plugins it can also be added to PLUGINS folder where DAG
authors should not have write access to). PLUGINS FOLDER is a legacy mechanism coming from Airflow 1.10
authors should not have write access to). PLUGINS_FOLDER is a legacy mechanism coming from Airflow 1.10
- but we recommend using entrypoint mechanism that allows the Deployment Manager to - effectively -
choose and register the code that will be executed in those contexts. DAG Author has no access to
install or modify packages installed in Webserver and Scheduler, and this is the way to prevent
the DAG Author to execute arbitrary code in those processes.

Additionally, if you decide to utilize and configure the PLUGINS_FOLDER, it is essential for the Deployment
Manager to ensure that the DAG author does not have write access to this folder.

The Deployment Manager might decide to introduce additional control mechanisms to prevent DAG authors from
executing arbitrary code. This is all fully in hands of the Deployment Manager and it is discussed in the
following chapter.
Expand Down

0 comments on commit c471c31

Please sign in to comment.