Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-2311

Environment variables are accessible to dag execution

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Currently, environment variables are accessible to dag execution for both LocalExecutor and CeleryExecutor (from the machine/container where `airflow scheduler` process is running on)

      I believe it is a potential security concern on the whole by passing down all environment variables to task execution, which sometimes include sensitive credentials. This means that it is the responsibility of (1) the airflow admin to not store sensitive data in environment variables in production or (2) the dag maintainer to properly audit the dag file and make sure it is not malicious. (1) seems very hard to guarantee (2) seems easier, but not foolproof.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              joygao Joy Gao
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: