potiuk opened a new pull request, #67435:
URL: https://github.com/apache/airflow/pull/67435
Catch up the public security documentation to match the security-relevant
changes flowing into the 3.2 release branch. Adds six mermaid diagrams
and re-aligns prose with the current code.
## What changed in the docs
`airflow-core/docs/security/jwt_token_authentication.rst`:
- 4 mermaid diagrams: components-and-flows overview; symmetric vs
asymmetric signing; two-token sequence (Scheduler → executor queue →
worker `/run` → refreshed execution token); request-time validation
pipeline (signature → standard claims → `TIClaims` schema →
`require_auth` scope → `ti:self`).
- Documents typed `TIClaims` Pydantic claims validation (#63604).
- Documents that `/auth/logout` now invokes `auth_manager.revoke_token()`
unconditionally, even when the auth manager redirects to an external
IdP logout URL (#67289).
`airflow-core/docs/security/security_model.rst`:
- 2 mermaid diagrams: component trust boundaries (control plane vs
worker plane, DFP/Triggerer's in-process Execution API bypass);
per-component credential-distribution matrix for sensitive values.
- New "Defense in depth at the router level" subsection documenting
router-level `Depends(get_user)` on `authenticated_router` and
`ui_router` (#66505).
- Notes what the Execution API does enforce beyond `ti:self`:
`ExecutionAPISecretsBackend` raises `PermissionError` on 401/403
instead of letting the dispatcher fall through to a less-restrictive
backend (#66575); tightened deserialization allowlist regex requires a
full-string match (#66499); typed claims schema rejects non-UUID
`sub` or unknown `scope`.
## Tooling change
Registers `sphinxcontrib-mermaid>=1.0.0` as a new dependency in
`devel-common[docs]` and adds `sphinxcontrib.mermaid` to
`BASIC_SPHINX_EXTENSIONS` so every Airflow Sphinx build (core,
providers, chart, docker-stack) can use `.. mermaid::` directives.
`uv.lock` is regenerated.
## Verification
- `breeze build-docs --package-filter apache-airflow` →
"Documentation build is successful", 0 build errors, 0 spelling errors.
- All six mermaid containers render in the produced HTML.
- `prek run --from-ref upstream/main --stage pre-commit` and
`--stage manual` both pass.
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code (Opus 4.7)
Generated-by: Claude Code (Opus 4.7) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
