ashb commented on a change in pull request #11362:
URL: https://github.com/apache/airflow/pull/11362#discussion_r510290041
##########
File path: docs/security/access-control.rst
##########
@@ -134,51 +123,106 @@ Permissions (each consistent of a resource + action
pair) are then added to role
**To access an endpoint, the user needs all permissions assigned to that
endpoint**
-==================================================================================
======
====================================================================================
+There are five default roles: Public, Viewer, User, Op, and Admin. Each one
has the permissions of the preceeding role, as well as additional permissions.
+
+==================================================================================
====== =================================================================
============
Stable API Permissions
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-Endpoint
Method Permissions
-==================================================================================
======
====================================================================================
-/config
GET Config.can_read
-/connections
GET Connection.can_read
-/connections
POST Connection.can_create
-/connections/{connection_id}
DELETE Connection.can_delete
-/connections/{connection_id}
GET Connection.can_read
-/connections/{connection_id}
PATCH Connection.can_edit
-/dagSources/{file_token}
GET DagCode.can_read
-/dags
GET Dag.can_read
-/dags/{dag_id}
GET Dag.can_read
-/dags/{dag_id}
PATCH Dag.can_edit
-/dags/{dag_id}/clearTaskInstances
POST Dag.can_read, DagRun.can_read, Task.can_edit
-/dags/{dag_id}/details
GET Dag.can_read
-/dags/{dag_id}/tasks
GET Dag.can_read, Task.can_read
-/dags/{dag_id}/tasks/{task_id}
GET Dag.can_read, Task.can_read
-/dags/{dag_id}/dagRuns
GET Dag.can_read, DagRun.can_read
-/dags/{dag_id}/dagRuns
POST Dag.can_read, DagRun.can_create
-/dags/{dag_id}/dagRuns/{dag_run_id}
DELETE Dag.can_read, DagRun.can_delete
-/dags/{dag_id}/dagRuns/{dag_run_id}
GET Dag.can_read, DagRun.can_read
-/dags/~/dagRuns/list
POST Dag.can_read, DagRun.can_read
-/eventLogs
GET Log.can_read
-/eventLogs/{event_log_id}
GET Log.can_read
-/importErrors
GET ImportError.can_read
-/importErrors/{import_error_id}
GET ImportError.can_read
-/health
GET None
-/version
GET None
-/pools
GET Pool.can_read
-/pools
POST Pool.can_create
-/pools/{pool_name}
DELETE Pool.can_delete
-/pools/{pool_name}
GET Pool.can_read
-/pools/{pool_name}
PATCH Pool.can_edit
-/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances
GET Dag.can_read, DagRun.can_read, Task.can_read
-/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}
GET Dag.can_read, DagRun.can_read, Task.can_read
-/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/links
GET Dag.can_read, DagRun.can_read, Task.can_read
-/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/logs/{task_try_number}
GET Dag.can_read, DagRun.can_read, Task.can_read
-/dags/~/dagRuns/~/taskInstances/list
POST Dag.can_read, DagRun.can_read, Task.can_read
-/variables
GET Variable.can_read
-/variables
POST Variable.can_create
-/variables/{variable_key}
DELETE Variable.can_delete
-/variables/{variable_key}
GET Variable.can_read
-/variables/{variable_key}
PATCH Variable.can_edit
-/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries
GET Dag.can_read, DagRun.can_read, Task.can_read, XCom.can_read
-/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries/{xcom_key}
GET Dag.can_read, DagRun.can_read, Task.can_read, XCom.can_read
-==================================================================================
======
====================================================================================
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+Endpoint
Method Permissions
Minimum Role
+==================================================================================
====== =================================================================
============
+/config
GET Configurations.can_read
Viewer
+/connections
GET Connections.can_read Op
+/connections
POST Connections.can_create Op
+/connections/{connection_id}
DELETE Connections.can_delete Op
+/connections/{connection_id}
PATCH Connections.can_edit Op
+/connections/{connection_id}
GET Connections.can_read Op
+/dagSources/{file_token}
GET DAG Code.can_read
Viewer
+/dags
GET DAGs.can_read
Viewer
+/dags/{dag_id}
GET DAGs.can_read
Viewer
+/dags/{dag_id}
PATCH DAGs.can_edit
User
+/dags/{dag_id}/clearTaskInstances
POST DAGs.can_read, DAG Runs.can_read, Tasks.can_edit
User
+/dags/{dag_id}/details
GET DAGs.can_read
Viewer
+/dags/{dag_id}/tasks
GET DAGs.can_read, Tasks.can_read
Viewer
+/dags/{dag_id}/tasks/{task_id}
GET DAGs.can_read, Tasks.can_read
Viewer
+/dags/{dag_id}/dagRuns
GET DAGs.can_read, DAG Runs.can_read
Viewer
+/dags/{dag_id}/dagRuns
POST DAGs.can_read, DAG Runs.can_create
User
+/dags/{dag_id}/dagRuns/{dag_run_id}
DELETE DAGs.can_read, DAG Runs.can_delete
User
+/dags/{dag_id}/dagRuns/{dag_run_id}
GET DAGs.can_read, DAG Runs.can_read
Viewer
+/dags/~/dagRuns/list
POST DAGs.can_read, DAG Runs.can_read
Viewer
+/eventLogs
GET Logs.can_read
Viewer
+/eventLogs/{event_log_id}
GET Logs.can_read
Viewer
+/importErrors
GET ImportError.can_read
Viewer
+/importErrors/{import_error_id}
GET ImportError.can_read
Viewer
+/health
GET None
Public
+/version
GET None
Public
+/pools
GET Pool.can_read Op
+/pools
POST Pool.can_create Op
+/pools/{pool_name}
DELETE Pool.can_delete Op
+/pools/{pool_name}
GET Pool.can_read Op
+/pools/{pool_name}
PATCH Pool.can_edit Op
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances
GET DAGs.can_read, DAG Runs.can_read, Tasks.can_read
Viewer
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}
GET DAGs.can_read, DAG Runs.can_read, Tasks.can_read
Viewer
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/links
GET DAGs.can_read, DAG Runs.can_read, Tasks.can_read
Viewer
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/logs/{task_try_number}
GET DAGs.can_read, DAG Runs.can_read, Tasks.can_read Viewer
+/dags/~/dagRuns/~/taskInstances/list
POST DAGs.can_read, DAG Runs.can_read, Tasks.can_read
Viewer
+/variables
GET Variables.can_read Op
+/variables
POST Variables.can_create Op
+/variables/{variable_key}
DELETE Variables.can_delete Op
+/variables/{variable_key}
GET Variables.can_read Op
+/variables/{variable_key}
PATCH Variables.can_edit Op
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries
GET DAGs.can_read, DAG Runs.can_read, Tasks.can_read, XComs.can_read
Viewer
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries/{xcom_key}
GET DAGs.can_read, DAG Runs.can_read, Tasks.can_read, XComs.can_read Viewer
+==================================================================================
====== =================================================================
============
+
+
+======================================
=======================================================================
============
+Website Permissions
+--------------------------------------
------------------------------------------------------------------------------------
+Action Permissions
Minimum Role
+======================================
=======================================================================
============
+Access homepage Website.can_read
Viewer
Review comment:
Probably want to mention that Website.can_read is needed for all (but
without listing it in every row?)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
