-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixing #19028 by moving chown to use sudo #20114
Conversation
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
|
except KeyError: | ||
# No user `run_as_user` found | ||
pass | ||
subprocess.call(['sudo', 'chown', self.run_as_user, self._error_file.name], close_fds=True) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subprocess.call(['sudo', 'chown', self.run_as_user, self._error_file.name], close_fds=True) | |
subprocess.check_call(['sudo', 'chown', self.run_as_user, self._error_file.name], close_fds=True) |
I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that you're probably right it should be check_call
. I simply stole the the subprocess call that runs a chown a few statements above so maybe they should both change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah -- could you change them both?
Refactor to a single |
We can make it a single sudo chwon call like this:
|
I answered your message and stepped out to a meeting and then you fixed my whole PR. 😆 Looks good to me! Thanks for your help! |
One downside to this change is it requires |
You're right, @uranusjr , that there are improvements that could be made to this. My first priority is addressing the regression quickly by getting it back to the previous functional state. Then perhaps future enhancements or improvements could be proposed or implemented. |
One thing that I do notice when I run my patch on my own system is this error:
But it doesn't impact the failure state (the task still succeeds) and it was very likely happening before I got here, too. It means that files in /tmp get left hanging out after the task finishes. So we might need to add a chmod here, before the chown, so that the file is readable. |
The problem is that you’re prioritising your use case over others, and potentially breaking other people’s environments to make your environment work correctly. That’s not how a regression should be addressed. |
I mean the docs are very clear that when using impersonation you have to configure sudo and even tell you how to configure sudo. I'm trying to touch as little code as possible here and not introduce new features while doing so. |
Oh and I may add that the use case you put forth -- people using impersonation without sudo configured or installed -- does not exist. The current code uses a combination of sudo and calls to os which only works for people who run airflow as root. This change is to standardize on just sudo, which is what it was before 2.2.0 and before #15947 broke it for everyone not running airflow as root. |
Yep. I agree with @plockaby - we clearly expect sudo to be available https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html?highlight=impersonation (BTW. This page is very badly named) We might improve it in the future as separate PR and remove the requirement, but lets's fix what is broken currently first. |
The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest main at your convenience, or amend the last commit of the PR, and push it with --force-with-lease. |
Awesome work, congrats on your first merged pull request! |
* fixing #19028 by having chown be in a sudo call * removing unused import * trying to clean up a test * combine sudo chown calls * force exception when chown fails * Update tests/task/task_runner/test_base_task_runner.py * Fix tests * Fix formatting Co-authored-by: Ash Berlin-Taylor <ash_github@firemirror.com> Co-authored-by: Ash Berlin-Taylor <ash@apache.org> (cherry picked from commit b37c0ef)
Without this change, using user impersonation requires that Airflow run as root or it won't work at all.
closes: #19028
related: #15947