From a14177141f51c532f27b1e08b7c79e0694b46e9f Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Wed, 30 Aug 2023 19:54:11 +0200 Subject: [PATCH] Clarify that DAG authors can also run code in DAG File Processor (#33920) * Clarify that DAG authors can also run code in DAG File Processor Small addition to our security model - it was not entirely clear that DAG authors can also execute code in DAG File Processor and that DAG File Processor can be run in standalone mode effectively physically separating machines where scheduler is run and where the code modified by DAG authors gets parsed. Co-authored-by: Ephraim Anierobi (cherry picked from commit 1dc6ba05581dba349f0b81163263ad6b0fa18b06) --- docs/apache-airflow/security/security_model.rst | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index addb69e8821e8..0e22674acb27b 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -41,9 +41,13 @@ varying access and capabilities: model. 2. **DAG Authors**: They can upload, modify, and delete DAG files. The - code in DAG files is executed on workers. Therefore, DAG authors can create - and change code executed on workers and potentially access the credentials - that DAG code uses to access external systems. DAG Authors have full access + code in DAG files is executed on workers and in the DAG File Processor. Note + that in the simple deployment configuration, parsing DAGs is executed as + a subprocess of the Scheduler process, but with Standalone DAG File Processor + deployment managers might separate parsing DAGs from the Scheduler process. + Therefore, DAG authors can create and change code executed on workers + and the DAG File Processor and potentially access the credentials that the DAG + code uses to access external systems. DAG Authors have full access to the metadata database and internal audit logs. 3. **Authenticated UI users**: They have access to the UI and API. See below