Open Blizzke opened 5 days ago
Blizzke
commented
5 days ago If you disable that piece of code, things go wrong further along as well.
In _sync_dag_view_permissions to be precise.
Within the loop of the specified roles there's a action_names = set(action_names) there that still converts them into ('DAG Runs', 'DAGs').
Seems that the code has "forgotten" that an extra layer is possible, only allowing actions on DAGs, which makes the entire access_control rather pointless.
eladkal
commented
3 days ago @joaopamaral maybe you can look into this one?
joaopamaral
commented
2 days ago Hi @Blizzke, the access control with Resource definition only works in airflow >= 2.10.x and FAB >= 1.3.x:
This access_control doesn't work in airflow 2.9.3:
access_control={
"Viewer": {"DAGs": {"can_edit", "can_read", "can_delete"}, "DAG Runs": {"can_create"}},
},This is the correct access control for airflow 2.9.3 (Only DAG resource):
access_control={
"Viewer": {"can_edit", "can_read", "can_delete"},
},
Apache Airflow version
Other Airflow 2 version (please specify below)
If "Other Airflow 2 version" selected, which one?
2.9.3
What happened?
We are trying to limit access to some DAGs and have been trying an example that comes verbatim from the documentation and that doesn't work:
(taken from here)
During debugging,
_upgrade_outdated_dag_access_controlwas encountered, and more specific this little gem:Which "translates" the permissions specified originally into
and a warning.
What you think should happen instead?
The Viewer role should get "can_edit/read on DAG:example_fine_grained_access" and "can_create on DAG Run:example_fine_grained_access".
How to reproduce
Use the example from the documentation.
Operating System
Linux
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
Code of Conduct