[GitHub] [airflow] houqp commented on a change in pull request #10594: WIP: Add permissions for stable API

[GitBox]

houqp commented on a change in pull request #10594:
URL: https://github.com/apache/airflow/pull/10594#discussion_r487682606



##########
File path: docs/security/access-control.rst
##########
@@ -114,3 +114,61 @@ using the ``airflow roles create`` command, e.g.:
 
 And we could assign the given role to a new user using the ``airflow
 users add-role`` CLI command.
+
+Permissions
+'''''''''''
+
+Resource-Based permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+Starting with version 2.0, permissions are based on individual resources and a 
small subset of actions on those resources. Resources match standard Airflow 
concepts, such as ``Dag``, ``DagRun``, ``Task``, and ``Connection``. Actions 
include ``can_create``, ``can_read``, ``can_edit``, and ``can_delete``. 
Permissions (each consistint of a resource + action pair) are then added to 
roles.
+
+Simple table:
+
+==================================================================================
 ====== 
====================================================================================
+   Inputs
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+View                                                                           
    Method Permissions
+==================================================================================
 ====== 
====================================================================================
+/config                                                                        
    GET    Config.can_read
+/connections                                                                   
    GET    Connection.can_read
+/connections                                                                   
    POST   Connection.can_create
+/connections/{connection_id}                                                   
    DELETE Connection.can_delete
+/connections/{connection_id}                                                   
    GET    Connection.can_read
+/connections/{connection_id}                                                   
    PATCH  Connection.can_edit
+/dagSources/{file_token}                                                       
    GET    DagCode.can_read
+/dags                                                                          
    GET    Dag.can_read
+/dags/{dag_id}                                                                 
    GET    Dag.can_read
+/dags/{dag_id}                                                                 
    PATCH  Dag.can_edit
+/dags/{dag_id}/clearTaskInstances                                              
    POST   Dag.can_read, DagRun.can_read, TaskInstance.can_edit
+/dags/{dag_id}/details                                                         
    GET    Dag.can_read
+/dags/{dag_id}/tasks                                                           
    GET    Dag.can_read, Task.can_read
+/dags/{dag_id}/tasks/{task_id}                                                 
    GET    Dag.can_read, Task.can_read

Review comment:
       I agree, it's better to start without it and add it later if it turned 
out to be something that's actually needed.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org