Jorricks edited a comment on issue #12301: URL: https://github.com/apache/airflow/issues/12301#issuecomment-865744420
I thought this as well @jhtimmins, however, all permissions for modifying Task Instances or modifying Dag Runs as of today require `dag_read` permissions on the DAG and the corresponding action permission. Hence, if we only change it for this view, we would make the whole implementation very inconsistent. Please take a look [at the Access Control page of Airflow](https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions) It feels to me as in that case the whole `dag_edit` base_permission is useless in this case. I would propose to completely change the following items(copied from the link above) to require `DAGS.can_edit` where it currently says `DAGS.can_read` privileges. Action | Permissions | Minimum Role -- | -- | -- Clear Task Instance | DAGs.can_read, DAG Runs.can_read, Task Instances.can_edit | User Triggers Task Instance | DAGs.can_read, Task Instances.can_create | User Clear DAG | DAGs.can_read, Task Instances.can_delete | User Clear DAG Run | DAGs.can_read, Task Instances.can_delete | User Mark DAG as blocked | Dags.can_read, DAG Runs.can_read | User Mark DAG Run as failed | Dags.can_read, DAG Runs.can_edit | User Mark DAG Run as success | Dags.can_read, DAG Runs.can_edit | User Mark Task as failed | DAGs.can_read, Task Instances.can_edit | User Mark Task as success | DAGs.can_read, Task Instances.can_edit | User I would love to do the work if you agree with what I wrote here. It would allow me to delete some extra permissions listeners (on database events of SQLAlchemy) that I introduced because of the change in required permissions by Airflow 2.0. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
