You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Maxime Beauchemin (JIRA)" <ji...@apache.org> on 2016/09/19 23:11:20 UTC

[jira] [Created] (AIRFLOW-518) Require DataProfilingMixin for the Variables CRUD access

Maxime Beauchemin created AIRFLOW-518:
-----------------------------------------

             Summary: Require DataProfilingMixin for the Variables CRUD access
                 Key: AIRFLOW-518
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-518
             Project: Apache Airflow
          Issue Type: Improvement
            Reporter: Maxime Beauchemin


Many of us use the "Variable" model CRUD (create/update/delete) as a k/v store to power frameworks that read these values to dynamically generate pipelines. 

With the basic "LoginMixin" role (lowest level of access to Airflow) having access to the Variable CRUD, people could easily alter a Variable to run arbitrary code on the platform, depending on how variables are use in that environment.

It's a safer bet to elevate CRUD on Variable to DataProfilingMixin, and make sure that the lowest level of access cannot interfere with these Variables.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)