airflow
airflow copied to clipboard
Published
20 hours ago •
apache
apache
Requiring sudo privilages
Apache Airflow version
2.2.3 (latest released)
What happened
If airflow worker process is run under non-root user and a dag contains run_as statement, airflow calls sudo chown during the creation of tmp files. The following code snippet comes from /airflow/task/task_runner/base_task_runner.py .
if self.run_as_user and (self.run_as_user != getuser()):
# We want to include any environment variables now, as we won't
# want to have to specify them in the sudo call - they would show
# up in `ps` that way! And run commands now, as the other user
# might not be able to run the cmds to get credentials
cfg_path = tmp_configuration_copy(chmod=0o600, include_env=True, include_cmds=True)
# Give ownership of file to user; only they can read and write
subprocess.check_call(
['sudo', 'chown', self.run_as_user, cfg_path, self._error_file.name], close_fds=True
)
# propagate PYTHONPATH environment variable
pythonpath_value = os.environ.get(PYTHONPATH_VAR, '')
popen_prepend = ['sudo', '-E', '-H', '-u', self.run_as_user]
Calling sudo chown in subprocess actually requires airflow process user to be able to sudo to root which averts the main point of running airflow worker process as a non-root user. I would therefore propose to allow run_as_user read and write by setting facl attributes of tmp file accordingly.
Will you be willing to accept a PR addressing this issue via setfacl?
What you expected to happen
No response
How to reproduce
No response
Operating System
Linux
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else
No response
Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
