You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Emanuele Palese (JIRA)" <ji...@apache.org> on 2017/07/14 15:17:00 UTC

[jira] [Created] (AIRFLOW-1415) Add SuperUserMixin for the Variables CRUD access

Emanuele Palese created AIRFLOW-1415:
----------------------------------------

             Summary: Add SuperUserMixin for the Variables CRUD access 
                 Key: AIRFLOW-1415
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1415
             Project: Apache Airflow
          Issue Type: Improvement
          Components: ui
            Reporter: Emanuele Palese


Only DataProfiling users are allowed to access the Variables CRUD view.
SuperUsers (by definition) should be allowed to access all views without restrictions.

Furthermore, DataProfiling grants access to the query tool. This tool allows users to use ANY connection defined. This is a potential security risk with connections that access data sources with different clearances. 

Suggested fix:
Approach 1: 
In airflow.www.views change:
{code}
class VariableView(wwwutils.DataProfilingMixin, AirflowModelView):
{code}
with
{code}
class VariableView(wwwutils.SuperUserMixin, AirflowModelView):
{code}

Approach 2:
create a new mixin that checks membership for both data profiling and super user




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)