apache · fzhsbc · May 21, 2026 · May 22, 2026 · May 22, 2026
@@ -15,3 +15,15 @@ In additional, the `TaskChannelFactory` extends from `PrioritySPI`, this means y
 Since the task plug-in involves the front-end page, the front-end SPI has not yet been implemented, so you need to implement the front-end page corresponding to the plug-in separately.
 
 If there is a class conflict in the task plugin, you can use [Shade-Relocating Classes](https://maven.apache.org/plugins/maven-shade-plugin/) to solve this problem.
+
+#### Runtime credentials for task plugins
+
+Some task plugins need to access external systems using short-lived credentials. A plugin should avoid storing long-lived credentials in task parameters and should avoid printing credentials in task logs.
+
+Recommended practice:
+
+- Use the task execution context, such as project, workflow, task instance, data source, tenant, and worker group, when requesting runtime credentials from an external authorization service.
+- Pass short-lived credentials to the task process through environment variables or temporary files with restricted file permissions.
+- Mask sensitive values before logging command lines, environment variables, or generated configuration files.
+- Remove temporary credential files after task completion or cancellation.
+- Keep external data authorization in the external system. DolphinScheduler should provide task context and execution lifecycle, while the external system validates and enforces data permissions.
@@ -25,6 +25,12 @@ Administrator login, default username/password: admin/dolphinscheduler123
 
 ![create-tenant](../../../../img/new_ui/dev/security/create-tenant.png)
 
+### Tenant boundary and external data permissions
+
+The tenant code is used by the Worker as the execution identity, for example the Linux user that runs a task process. It is an execution resource boundary in DolphinScheduler. Fine-grained permissions for external systems such as databases, object stores, data catalogs, or lakehouse tables should be validated and enforced by those external systems.
+
+Do not treat the tenant code alone as a user-level data permission principal for external systems. If a task needs short-lived external credentials, bind those credentials to auditable task context such as the project, workflow, task instance, data source, tenant, and worker group, and avoid storing long-lived credentials in task definitions.
+
 ## Create Normal User
 
 Users are divided into **administrator users** and **ordinary users**
@@ -188,4 +194,3 @@ Create a task node in the workflow definition, select the worker group and the e
 - After creation and authorization, you can select it from the namespace drop down list when edit k8s task, If the k8s cluster name is `ds_null_k8s` means test mode which will not operate the cluster actually.
 
 ![create-environment](../../../../img/new_ui/dev/security/create-namespace.png)
-
@@ -15,3 +15,15 @@ org.apache.dolphinscheduler.spi.task.TaskChannel
 由于任务插件涉及到前端页面，目前前端的SPI还没有实现，因此你需要单独实现插件对应的前端页面。
 
 如果任务插件存在类冲突，你可以采用 [Shade-Relocating Classes](https://maven.apache.org/plugins/maven-shade-plugin/) 来解决这种问题。
+
+#### 任务插件的运行时凭证
+
+部分任务插件需要使用短期凭证访问外部系统。插件应避免在任务参数中保存长期凭证，也应避免在任务日志中打印凭证。
+
+推荐做法：
+
+- 请求外部授权服务签发运行时凭证时，携带项目、工作流、任务实例、数据源、租户和 Worker 分组等任务执行上下文。
+- 通过环境变量或具有限制权限的临时文件，把短期凭证传递给任务进程。
+- 打印命令行、环境变量或生成的配置文件前，应对敏感值进行脱敏。
+- 任务完成或取消后，清理临时凭证文件。
+- 外部数据权限由外部系统验证和执行。DolphinScheduler 提供任务上下文和执行生命周期，外部系统负责数据权限判断。
@@ -24,6 +24,12 @@
 
 ![create-tenant](../../../../img/new_ui/dev/security/create-tenant.png)
 
+### 租户边界与外部数据权限
+
+租户编码由 Worker 作为任务执行身份使用，例如运行任务进程的 Linux 用户。租户是 DolphinScheduler 内部的执行资源边界。数据库、对象存储、数据目录、湖表等外部系统的细粒度权限应由外部系统验证和执行。
+
+不应仅把租户编码作为外部系统的用户级数据权限主体。任务需要短期外部凭证时，应将凭证绑定到可审计的任务上下文，例如项目、工作流、任务实例、数据源、租户和 Worker 分组，并避免在任务定义中保存长期凭证。
+
 ## 创建普通用户
 
 - 用户分为**管理员用户**和**普通用户**