> Plugins, providers, and their associated Python libraries all need to execute > code in order to be installed which is a vulnerability.
Please rephrase this - I understand what you mean, but this is too broad a statement. It is at worst a _potential_ vulnerability. However I still don't really understand the risk - if dag authors can write dags they can run a python operator to do what ever they like. How are plugins different? The main thing I can't wrap my head around why suitably permissioned users can't have the ability to customise the webserver image/container. -ash On 18 June 2021 22:58:29 BST, "Jackson, John" <[email protected]> wrote: >Plugins, providers, and their associated Python libraries all need to execute >code in order to be installed which is a vulnerability. Plugins in particular >are often developed/installed by the data engineers and not by system >administrators, leading us back to our original problem. > >I would turn your argument the other way around--if you're already in a >no-install, serialized model for DAGs why not extend that to all aspects of >the webserver such as connections and UI plugins? Seems that would be more >consistent. > >On 2021-06-18, 1:36 PM, "Jarek Potiuk" <[email protected]> wrote: > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > > That would certainly help a bit, but unfortunately it's not just the > packages. It's the fact that authentication is tied to Python code that can > be patched by anyone with permission to execute code on the web server, which > in turn would give them access to packages or any anything else they'd like. > > But in Airflow 2.0 the code provided by "DAG writers" is not executed > any more. This is entirely gone together with Airflow 1.10. This has > been handled by DAG serialization, which is the only option available > in 2.0. I do not see how the "Users" could add any code if "Admins" > control the packages that are installed in the webserver. Now if > Admin/User is the only problem then I think this is really > misunderstanding coming from the pre-DAG-serialization world of Apache > Airflow. > > J. >
