swalkowski opened a new issue #12237:
URL: https://github.com/apache/airflow/issues/12237
**Apache Airflow version**: 1.10.12
**Environment**:
- **Cloud provider or hardware configuration**: Google Cloud Composer
(tweaked environment running Airflow RBAC UI)
**What happened**:
In Airflow RBAC UI, when switching between pages, 'Access is Denied' error
message actually indicates missing permissions on the previously visited page.
I understand the basic scenario for which this behavior has been designed:
- I try to go to a page to which I don't have access, I am redirected to the
home page, which shows 'Access is Denied', so I conclude that I don't have
access to the page that I tried to open.
But the interactions which end up in showing 'Access is Denied' are not
always that simple, and this is where it gets confusing to show the message on
a different page than the one to which the user had no access:
- When I'm an Admin and go to List Users, click Edit record on my user,
change my role from Admin to Viewer, click Save, I am redirected to the home
page, which shows a green 'Changed Row' message and a red 'Access is Denied'.
- This is a confusing signal. Did the role assignment succeed or not?
Which access was denied if I didn't try to open any page? (I know the messages
come from successful user record update and unsuccessful load of List Users
page to which I'm redirected after clicking Save - but not every user may
realize this.)
- When I don't have `can varimport on VariableModelView` permission and go
to Variables page, choose a file, click Import Variables, I am redirected to
the home page, which shows 'Access is Denied'.
- How do I know which permissions I was missing? I might think that I
didn't have permission to the file, which is not the case.
- In Airflow 1.10.10 we've also observed a situation in which removing some
permissions (from the current user's role) required for asynchronous work on
the homepage, loading the homepage, and going to an unrelated page (like List
Roles) resulted in showing a completely unexpected 'Access is Denied' message
in that unrelated page.
- This was the most confusing behavior but I'm not able to reproduce it
in Airflow 1.10.12. Here, the asynchronous work on one page resulted in
accumulating 'Access is Denied' message in the background, and showing it on
the next page visited, no matter what the next page was.
I guess this behavior may be built deeply into Flask-AppBuilder and hard to
change. But it's still a UX concern for Airflow.
**What you expected to happen**:
'Access is Denied' error should clearly indicate which page or its fragment
it refers to.
**How to reproduce it**:
Follow the setup and steps described in 'What happened' section.
+cc @ryanahamilton @k-jakub
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
