Warn against world-accessible Kerberos ccache default in docs#66557
Merged
Conversation
The Kerberos integration docs ship a default ccache path of `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache. Add a warning recommending a non-world-accessible directory (a per-service runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped location) and `chmod 0700` on the parent — mirroring the guidance the docs already give for the keytab. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175).
potiuk
force-pushed
the
docs/kerberos-ccache-non-tmp
branch
from
d259eb0 to
743ec9c
Compare
Member
Author
|
I'd love to get this one merged — and would love it in 3.2.2 if it's not too late. cc @vatsrahul1001 (3.2.2 RM) Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting |
potiuk
added
the
backport-to-v3-2-test
vatsrahul1001
approved these changes
May 18, 2026
Contributor
Backport successfully created: v3-2-testNote: As of Merging PRs targeted for Airflow 3.X In matter of doubt please ask in #release-management Slack channel.
|
vatsrahul1001
pushed a commit
that referenced
this pull request
May 18, 2026
…docs (#66557) (#67085) The Kerberos integration docs ship a default ccache path of `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache. Add a warning recommending a non-world-accessible directory (a per-service runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped location) and `chmod 0700` on the parent — mirroring the guidance the docs already give for the keytab. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175). (cherry picked from commit da03584) Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
May 20, 2026
…docs (#66557) (#67085) The Kerberos integration docs ship a default ccache path of `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache. Add a warning recommending a non-world-accessible directory (a per-service runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped location) and `chmod 0700` on the parent — mirroring the guidance the docs already give for the keytab. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175). (cherry picked from commit da03584) Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
May 20, 2026
…docs (#66557) (#67085) The Kerberos integration docs ship a default ccache path of `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache. Add a warning recommending a non-world-accessible directory (a per-service runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped location) and `chmod 0700` on the parent — mirroring the guidance the docs already give for the keytab. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175). (cherry picked from commit da03584) Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
May 21, 2026
…docs (#66557) (#67085) The Kerberos integration docs ship a default ccache path of `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache. Add a warning recommending a non-world-accessible directory (a per-service runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped location) and `chmod 0700` on the parent — mirroring the guidance the docs already give for the keytab. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175). (cherry picked from commit da03584) Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Kerberos integration docs ship a default ccache path of
/tmp/airflow_krb5_ccache, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache.Add a warning recommending a non-world-accessible directory (a per-service runtime dir like
/run/airflow/krb5_ccacheor a private user-scoped location) andchmod 0700on the parent — mirroring the guidance the docs already give for the keytab.Documentation-only change; no code paths affected.
Reported by
L3 ASVS sweep — apache/tooling-agents#23 (FINDING-175).
Was generative AI tooling used to co-author this PR?
Generated-by: Claude Code (Opus 4.7) following the guidelines