You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/10/09 08:15:20 UTC

[jira] [Commented] (AIRFLOW-518) Require DataProfilingMixin for the Variables CRUD access

    [ https://issues.apache.org/jira/browse/AIRFLOW-518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15559562#comment-15559562 ] 

ASF subversion and git services commented on AIRFLOW-518:
---------------------------------------------------------

Commit 941500e14f4e327cbae0b404515597afa04ade60 in incubator-airflow's branch refs/heads/master from [~maxime.beauchemin@apache.org]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=941500e ]

[AIRFLOW-518] Require DataProfilingMixin for Variables CRUD

Many of us use the "Variable" model CRUD
(create/update/delete) as a k/v
store to power frameworks that read these values
to dynamically generate
pipelines.

With the basic "LoginMixin" role (lowest level of
access to Airflow)
having access to the Variable CRUD, people could
easily alter a Variable
to run arbitrary code on the platform, depending
on how variables are
use in that environment.

It's a safer bet to elevate CRUD on Variable to
DataProfilingMixin, and
make sure that the lowest level of access cannot
interfere with these
Variables.

Closes #1804 from mistercrunch/elevate_variables


> Require DataProfilingMixin for the Variables CRUD access
> --------------------------------------------------------
>
>                 Key: AIRFLOW-518
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-518
>             Project: Apache Airflow
>          Issue Type: Improvement
>            Reporter: Maxime Beauchemin
>
> Many of us use the "Variable" model CRUD (create/update/delete) as a k/v store to power frameworks that read these values to dynamically generate pipelines. 
> With the basic "LoginMixin" role (lowest level of access to Airflow) having access to the Variable CRUD, people could easily alter a Variable to run arbitrary code on the platform, depending on how variables are use in that environment.
> It's a safer bet to elevate CRUD on Variable to DataProfilingMixin, and make sure that the lowest level of access cannot interfere with these Variables.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)