You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2023/02/24 21:06:57 UTC

[airflow] branch main updated: Change permissions of config/password files created by airflow (#29495)

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new b2ecaf9d2c Change permissions of config/password files created by airflow (#29495)
b2ecaf9d2c is described below

commit b2ecaf9d2c6ccb94ae97728a2d54d31bd351f11e
Author: Jarek Potiuk <ja...@potiuk.com>
AuthorDate: Fri Feb 24 22:06:49 2023 +0100

    Change permissions of config/password files created by airflow (#29495)
    
    The permissions for files created by airflow when creating config and
    standalone files are now only limited to the owner.
---
 airflow/cli/commands/standalone_command.py |  3 ++-
 airflow/configuration.py                   | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/airflow/cli/commands/standalone_command.py b/airflow/cli/commands/standalone_command.py
index 660e5cc6df..7afcc14851 100644
--- a/airflow/cli/commands/standalone_command.py
+++ b/airflow/cli/commands/standalone_command.py
@@ -27,7 +27,7 @@ from collections import deque
 
 from termcolor import colored
 
-from airflow.configuration import AIRFLOW_HOME, conf
+from airflow.configuration import AIRFLOW_HOME, conf, make_group_other_inaccessible
 from airflow.executors import executor_constants
 from airflow.executors.executor_loader import ExecutorLoader
 from airflow.jobs.scheduler_job import SchedulerJob
@@ -195,6 +195,7 @@ class StandaloneCommand:
             )
             with open(password_path, "w") as file:
                 file.write(password)
+            make_group_other_inaccessible(password_path)
             appbuilder.sm.add_user("admin", "Admin", "User", "admin@example.com", role, password)
             self.print_output("standalone", "Created admin user")
         # If the user does exist and we know its password, read the password
diff --git a/airflow/configuration.py b/airflow/configuration.py
index ff29009f25..e5c9a1a6bc 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -25,6 +25,7 @@ import os
 import pathlib
 import re
 import shlex
+import stat
 import subprocess
 import sys
 import warnings
@@ -1484,6 +1485,7 @@ def initialize_config() -> AirflowConfigParser:
             with open(TEST_CONFIG_FILE, "w") as file:
                 cfg = _parameterized_config_from_template("default_test.cfg")
                 file.write(cfg)
+            make_group_other_inaccessible(TEST_CONFIG_FILE)
 
         local_conf.load_test_config()
     else:
@@ -1498,6 +1500,7 @@ def initialize_config() -> AirflowConfigParser:
 
             with open(AIRFLOW_CONFIG, "w") as file:
                 file.write(default_config)
+            make_group_other_inaccessible(AIRFLOW_CONFIG)
 
         log.info("Reading the config from %s", AIRFLOW_CONFIG)
 
@@ -1540,6 +1543,18 @@ def initialize_config() -> AirflowConfigParser:
     return local_conf
 
 
+def make_group_other_inaccessible(file_path: str):
+    try:
+        permissions = os.stat(file_path)
+        os.chmod(file_path, permissions.st_mode & (stat.S_IRUSR | stat.S_IWUSR))
+    except Exception as e:
+        log.warning(
+            "Could not change permissions of config file to be group/other inaccessible. "
+            "Continuing with original permissions:",
+            e,
+        )
+
+
 # Historical convenience functions to access config entries
 def load_test_config():
     """Historical load_test_config."""