airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joy Gao (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AIRFLOW-2311) Environment variables are accessible to dag execution
Date Wed, 11 Apr 2018 01:12:00 GMT

     [ https://issues.apache.org/jira/browse/AIRFLOW-2311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Joy Gao updated AIRFLOW-2311:
-----------------------------
    Summary: Environment variables are accessible to dag execution  (was: Environment variables
from the scheduler process are accessible to dag execution)

> Environment variables are accessible to dag execution
> -----------------------------------------------------
>
>                 Key: AIRFLOW-2311
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2311
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security
>            Reporter: Joy Gao
>            Priority: Major
>
> Currently, environment variables are accessible to dag execution for both LocalExecutor
and CeleryExecutor (from the machine/container where `airflow scheduler` process is running
on)
> I believe it is a potential security concern on the whole by passing down all environment
variables to task execution, which sometimes include sensitive credentials. This means that
it is the responsibility of (1) the airflow admin to not store sensitive data in environment
variables in production or (2) the dag maintainer to properly audit the dag file and make
sure it is not malicious. (1) seems very hard to guarantee (2) seems easier, but not foolproof.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message