You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Emanuele Palese (JIRA)" <ji...@apache.org> on 2017/07/14 16:04:00 UTC

[jira] [Commented] (AIRFLOW-1415) Add SuperUserMixin for the Variables CRUD access

    [ https://issues.apache.org/jira/browse/AIRFLOW-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16087520#comment-16087520 ] 

Emanuele Palese commented on AIRFLOW-1415:
------------------------------------------

DataProfilingMixin introduced with AIRFLOW-518


> Add SuperUserMixin for the Variables CRUD access 
> -------------------------------------------------
>
>                 Key: AIRFLOW-1415
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1415
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: ui
>            Reporter: Emanuele Palese
>
> Only DataProfiling users are allowed to access the Variables CRUD view.
> SuperUsers (by definition) should be allowed to access all views without restrictions.
> Furthermore, DataProfiling grants access to the query tool. This tool allows users to use ANY connection defined. This is a potential security risk with connections that access data sources with different clearances. 
> Suggested fix:
> Approach 1: 
> In airflow.www.views change:
> {code}
> class VariableView(wwwutils.DataProfilingMixin, AirflowModelView):
> {code}
> with
> {code}
> class VariableView(wwwutils.SuperUserMixin, AirflowModelView):
> {code}
> Approach 2:
> create a new mixin that checks membership for both data profiling and super user



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)