seanghaeli opened a new pull request, #68909: URL: https://github.com/apache/airflow/pull/68909
Reverts #66608 (commit 8095abb571). Per @ashb's and @o-nikolas's review on #66608: broadening `token:workload` to read connections/variables/xcom (so deadline-callback subprocesses could fetch context) is a **security regression**. The `token:workload` scope is intentionally long-lived (~24h) and minimal-privilege — it exists only to be exchanged once at the TI `/run` endpoint for a short-lived scoped token, so that a token visible in the Celery message bus or KE pod spec is near-useless if leaked. Granting it data/secret reads undermines that guarantee. This reverts the full PR to get `main` back to a safe state ahead of the 3.3 freeze, as @o-nikolas proposed. The callback-context **feature** is still wanted; what needs redesign is the **token mechanism** for callback reads (options under discussion: callback subprocess performs the same workload→short-lived exchange a worker does; a dedicated short-lived callback scope; or pushing context to the callback instead of pulling with elevated rights). Note for reviewers: if you prefer a **narrower** revert that keeps the callback-context plumbing and only drops the `token:workload` scope broadening on the connections/variables/xcom routes (`routes/connections.py`, `routes/variables.py`, `security.py`), I can scope this down — say the word. Defaulting to the full revert since that's what was requested. related: #66608 --- ##### Was generative AI tooling used to co-author this PR? - [x] Yes — Claude Code (Opus 4.8) Generated-by: Claude Code (Opus 4.8) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
