Implement access control for Execution API (variables, connections, XComs)

[Subham-KRLX]

Description

The Execution API has authentication but no authorization - tasks can access ANY variable, connection, or XCom. Three TODO placeholders need implementation to enforce team-based access control.

Use case/motivation

Security Problem: Any authenticated task can currently access resources from any team because has_variable_access(), has_connection_access(), and has_xcom_access() always return True.

What I want to achieve:

• Tasks should only access variables/connections from their DAG's team
• Tasks should only access XComs from their own DAG run
• Proper authorization checks in Execution API (similar to Core API)

Affected files:

• airflow/api_fastapi/execution_api/routes/variables.py:40
• airflow/api_fastapi/execution_api/routes/connections.py:35
• airflow/api_fastapi/execution_api/routes/xcoms.py:50

Proposed solution:

1. Extract task's DAG from JWT token
2. Verify resource's team matches DAG's team
3. Allow global resources (no team)
4. Backward compatible with feature flag

Benefits:

• Security: Resource isolation
• Multi-team: Team boundaries enforced
• Compliance: Audit trail for access

Related issues

No

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[potiuk]

Yes. That was long time planned - if you want to take a look at that - feel free, but this should be definitely preceded a proposal describing security model you want to propose and discussing it on devlist. It's not a matter of just PR but thorough discussion and deliberate design.