You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2023/02/24 21:06:57 UTC
[airflow] branch main updated: Change permissions of config/password files created by airflow (#29495)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new b2ecaf9d2c Change permissions of config/password files created by airflow (#29495)
b2ecaf9d2c is described below
commit b2ecaf9d2c6ccb94ae97728a2d54d31bd351f11e
Author: Jarek Potiuk <ja...@potiuk.com>
AuthorDate: Fri Feb 24 22:06:49 2023 +0100
Change permissions of config/password files created by airflow (#29495)
The permissions for files created by airflow when creating config and
standalone files are now only limited to the owner.
---
airflow/cli/commands/standalone_command.py | 3 ++-
airflow/configuration.py | 15 +++++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/airflow/cli/commands/standalone_command.py b/airflow/cli/commands/standalone_command.py
index 660e5cc6df..7afcc14851 100644
--- a/airflow/cli/commands/standalone_command.py
+++ b/airflow/cli/commands/standalone_command.py
@@ -27,7 +27,7 @@ from collections import deque
from termcolor import colored
-from airflow.configuration import AIRFLOW_HOME, conf
+from airflow.configuration import AIRFLOW_HOME, conf, make_group_other_inaccessible
from airflow.executors import executor_constants
from airflow.executors.executor_loader import ExecutorLoader
from airflow.jobs.scheduler_job import SchedulerJob
@@ -195,6 +195,7 @@ class StandaloneCommand:
)
with open(password_path, "w") as file:
file.write(password)
+ make_group_other_inaccessible(password_path)
appbuilder.sm.add_user("admin", "Admin", "User", "admin@example.com", role, password)
self.print_output("standalone", "Created admin user")
# If the user does exist and we know its password, read the password
diff --git a/airflow/configuration.py b/airflow/configuration.py
index ff29009f25..e5c9a1a6bc 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -25,6 +25,7 @@ import os
import pathlib
import re
import shlex
+import stat
import subprocess
import sys
import warnings
@@ -1484,6 +1485,7 @@ def initialize_config() -> AirflowConfigParser:
with open(TEST_CONFIG_FILE, "w") as file:
cfg = _parameterized_config_from_template("default_test.cfg")
file.write(cfg)
+ make_group_other_inaccessible(TEST_CONFIG_FILE)
local_conf.load_test_config()
else:
@@ -1498,6 +1500,7 @@ def initialize_config() -> AirflowConfigParser:
with open(AIRFLOW_CONFIG, "w") as file:
file.write(default_config)
+ make_group_other_inaccessible(AIRFLOW_CONFIG)
log.info("Reading the config from %s", AIRFLOW_CONFIG)
@@ -1540,6 +1543,18 @@ def initialize_config() -> AirflowConfigParser:
return local_conf
+def make_group_other_inaccessible(file_path: str):
+ try:
+ permissions = os.stat(file_path)
+ os.chmod(file_path, permissions.st_mode & (stat.S_IRUSR | stat.S_IWUSR))
+ except Exception as e:
+ log.warning(
+ "Could not change permissions of config file to be group/other inaccessible. "
+ "Continuing with original permissions:",
+ e,
+ )
+
+
# Historical convenience functions to access config entries
def load_test_config():
"""Historical load_test_config."""