github-actions[bot] opened a new pull request, #68047:
URL: https://github.com/apache/airflow/pull/68047
* Apply per-file authorization to dag-source endpoint
A single source file can define multiple Dags. The /dagSources/{dag_id}
endpoint previously returned the file's full source code as soon as the
caller had CODE access to dag_id, even when the caller was not
authorized to read every other Dag defined in the same file.
Apply the same per-file authorization overlay already used by the
import-errors endpoint (apache/airflow#65329): enumerate the Dags
sharing the (relative_fileloc, bundle_name) of the requested Dag,
intersect with the caller's readable Dag set, and redact the source
when any co-located Dag is not readable.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
* Document per-file authorization boundary for dag-source endpoint
Add a Security Model subsection that describes the per-Dag read scope
the dag-source retrieval endpoint enforces, and the known limitation
around historical-version retrieval: the per-Dag scope is evaluated
against the current file membership, which may differ from the file's
contents at the time the requested version was stored. Deployments
that rely on per-Dag read scoping for source isolation should keep one
Dag per source file, or restrict DagAccessEntity.CODE accordingly.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
---------
(cherry picked from commit 992e602015b5e9a3fd297e18047cff9d85094c95)
Co-authored-by: Jarek Potiuk <[email protected]>
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
