Open Blizzke opened 5 days ago
If you disable that piece of code, things go wrong further along as well.
In _sync_dag_view_permissions
to be precise.
Within the loop of the specified roles there's a action_names = set(action_names)
there that still converts them into ('DAG Runs', 'DAGs')
.
Seems that the code has "forgotten" that an extra layer is possible, only allowing actions on DAGs
, which makes the entire access_control
rather pointless.
@joaopamaral maybe you can look into this one?
Hi @Blizzke, the access control with Resource definition only works in airflow >= 2.10.x and FAB >= 1.3.x:
This access_control doesn't work in airflow 2.9.3:
access_control={
"Viewer": {"DAGs": {"can_edit", "can_read", "can_delete"}, "DAG Runs": {"can_create"}},
},
This is the correct access control for airflow 2.9.3 (Only DAG resource):
access_control={
"Viewer": {"can_edit", "can_read", "can_delete"},
},
Apache Airflow version
Other Airflow 2 version (please specify below)
If "Other Airflow 2 version" selected, which one?
2.9.3
What happened?
We are trying to limit access to some DAGs and have been trying an example that comes verbatim from the documentation and that doesn't work:
(taken from here)
During debugging,
_upgrade_outdated_dag_access_control
was encountered, and more specific this little gem:Which "translates" the permissions specified originally into
and a warning.
What you think should happen instead?
The Viewer role should get "can_edit/read on DAG:example_fine_grained_access" and "can_create on DAG Run:example_fine_grained_access".
How to reproduce
Use the example from the documentation.
Operating System
Linux
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
Code of Conduct