You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Emanuele Palese (JIRA)" <ji...@apache.org> on 2017/07/14 15:17:00 UTC
[jira] [Created] (AIRFLOW-1415) Add SuperUserMixin for the
Variables CRUD access
Emanuele Palese created AIRFLOW-1415:
----------------------------------------
Summary: Add SuperUserMixin for the Variables CRUD access
Key: AIRFLOW-1415
URL: https://issues.apache.org/jira/browse/AIRFLOW-1415
Project: Apache Airflow
Issue Type: Improvement
Components: ui
Reporter: Emanuele Palese
Only DataProfiling users are allowed to access the Variables CRUD view.
SuperUsers (by definition) should be allowed to access all views without restrictions.
Furthermore, DataProfiling grants access to the query tool. This tool allows users to use ANY connection defined. This is a potential security risk with connections that access data sources with different clearances.
Suggested fix:
Approach 1:
In airflow.www.views change:
{code}
class VariableView(wwwutils.DataProfilingMixin, AirflowModelView):
{code}
with
{code}
class VariableView(wwwutils.SuperUserMixin, AirflowModelView):
{code}
Approach 2:
create a new mixin that checks membership for both data profiling and super user
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)