(airflow) branch main updated: Warn against world-accessible Kerberos ccache default in docs (#66557)

Sun, 17 May 2026 21:32:40 -0700 

This is an automated email from the ASF dual-hosted git repository.

vatsrahul1001 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new da03584282c Warn against world-accessible Kerberos ccache default in 
docs (#66557)
da03584282c is described below

commit da03584282c2e708c655c55fc07ccf9490a38a62
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon May 18 06:32:24 2026 +0200

    Warn against world-accessible Kerberos ccache default in docs (#66557)
    
    The Kerberos integration docs ship a default ccache path of
    `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on
    most Unix systems and would let any other local user on the host read
    or modify the Airflow service principal's credential cache.
    
    Add a warning recommending a non-world-accessible directory (a per-service
    runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped
    location) and `chmod 0700` on the parent — mirroring the guidance the
    docs already give for the keytab.
    
    Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175).
---
 airflow-core/docs/security/kerberos.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/airflow-core/docs/security/kerberos.rst 
b/airflow-core/docs/security/kerberos.rst
index 38c77d5a66c..6de9b65e161 100644
--- a/airflow-core/docs/security/kerberos.rst
+++ b/airflow-core/docs/security/kerberos.rst
@@ -91,6 +91,16 @@ If you need more granular options for your Kerberos ticket 
the following options
     # This is particularly useful if you use Airflow inside a VM NATted behind 
host system IP.
     include_ip = True
 
+.. warning::
+
+    The default ``ccache`` location ``/tmp/airflow_krb5_ccache`` is in a 
world-readable directory on most
+    Unix systems, which means other local users on the same host could read or 
modify the Kerberos
+    credential cache and impersonate the Airflow service principal. In 
production deployments, point
+    ``ccache`` at a directory only the Airflow service account can access — 
for example a per-service
+    runtime directory like ``/run/airflow/krb5_ccache`` (or 
``/var/lib/airflow/krb5_ccache``) created
+    with mode ``0700`` and owned by the Airflow user. Apply the same principle 
as the keytab, which
+    should already be ``chmod 600``.
+
 Keep in mind that Kerberos ticket are generated via ``kinit`` and will your 
use your local ``krb5.conf`` by default.
 
 Launch the ticket renewer by

Reply via email to