The GitHub Actions job "Tests (AMD)" on airflow.git/callback-token-apache has 
failed.
Run started by GitHub user seanghaeli (triggered by seanghaeli).

Head commit for run:
02af3fdb02d2b82d4419a672b56cb54af42ad73d / Sean Ghaeli <[email protected]>
Add single-use callback token for deadline callback context fetch

Deadline callbacks run in a subprocess that needs to read the DagRun
context (and connections/variables/xcoms) from the Execution API. PR
also accept the long-lived ``workload`` token via ``token:workload``
opt-ins. That over-broadened the workload token's reach (scope creep):
a long-lived token could read arbitrary DagRun/connection/variable/xcom
data for the whole queue-wait lifetime, and Ash asked for a single-use
credential instead.

This re-lands the security core of #66608 with a tighter design:

* New ``callback`` token scope. The executor mints a ``callback``-scoped
  token whose ``sub`` is the callback id. That token is accepted ONLY on
  the new ``PATCH /callbacks/{id}/run`` exchange endpoint (pinned by a
  ``callback:self`` scope) and nowhere else.

* Single-use exchange. ``run_callback`` performs an atomic
  ``QUEUED -> RUNNING`` transition under ``SELECT ... FOR UPDATE`` and
  returns a fresh short-lived ``execution`` token via the
  ``Refreshed-API-Token`` header. A second presentation of the same
  callback token finds the row already RUNNING and gets 409, so the
  token is exchangeable exactly once. This mirrors the Task Instance
  ``/run`` pattern. The subprocess calls the exchange once, before any
  context read, then uses the execution token for the actual reads.

* Reverted the #66608 ``token:workload`` opt-ins on the DagRun,
  connections, variables, and xcoms GET endpoints back to
  execution-only.

* ``JWTReissueMiddleware`` skips ``callback`` tokens (as it already does
  for ``workload``), since they are long-lived and exchanged exactly
  once.

Two shared-helper refactors keep the new code DRY and also clean up
pre-existing duplication:

* ``require_auth`` now drives the three ``*:self`` scope checks
  (``ti:self`` / ``ct:self`` / ``callback:self``) from a single
  ``SELF_SCOPE_PATH_PARAMS`` mapping + loop instead of three
  near-identical branches. Behavior for ``ti:self`` and ``ct:self`` is
  unchanged.

* New ``issue_execution_token`` helper mints an execution-scope token
  and sets the ``Refreshed-API-Token`` header. It replaces the
  duplicated mint block in the Task Instance ``/run`` handler (still
  guarded by the ``workload`` scope check) and the new callback exchange
  endpoint.

Report URL: https://github.com/apache/airflow/actions/runs/29292501264

With regards,
GitHub Actions via GitBox


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to