juroVee opened a new issue #16772:
URL: https://github.com/apache/airflow/issues/16772
**Description**
Currently there are only two permissions that can be set on a DAG level:
`dag_config.access_control:
SomeAirflowRole: ['can_read', 'can_edit']`
We would like to have an option to set additional permissions in this
access_control parameter, so SomeAirflowRole can have full user access only to
the specific DAG (delete it, run/clear/manage DAGRuns + TaskInstances, etc.).
**Use case / motivation**
We've tried to create a custom role for a team, so they can manage ONLY
their DAGs (in full user control), but at the same time this team needs to have
also a Viewer role so they can see all the DAGs in the environment.
What we've observed is, that Airflow currently doesn't provide an option to
set permissions for a specific DAG that will achieve our desired goal.
We've observed two different sides of this problem:
- Permission can_edit is not sufficient for full user control access - Task
Instances, DAG Run and DAG deletion permissions cannot be set on a specific DAG
level.
- If we set these permissions on a global level, full user control actions
are no longer limited for a specific DAG, so this whole security feature will
become pointless.
**Example:**
User from a specific team needs to have a full user access to a specific
DAGs, but at the same time needs to be able to view all the other DAGs. The
only way to achieve this is to give user `can_read` permission on all DAGs (so
that he can see all of the DAGs), `can_edit` permission on HIS DAGs, and to
give him permissions to create/edit/delete both Task Instances and DAG Runs
(these can only be set on global level). This way, user will see all DAGs, but
should only be able to work with DAGs that are his own.
However, some actions within Airflow only require `dag.can_read` permission
in combination with permissions on DAG Runs / Task Instances - for example, to
Clear a DAG Run, required permissions are only `DAGs.can_read,
TaskInstances.can_delete`.
As such, user will be able to perform this action on any DAG that he can see
- which means he will be able to perform this action (and other similar
actions) on ALL DAGs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
