Jorricks opened a new pull request #16634: URL: https://github.com/apache/airflow/pull/16634
All permissions for modifying Task Instances or modifying Dag Runs as of today require `dag_read` permissions on the DAG and the corresponding action permission. A full overview is shown [at the Access Control page of Airflow](https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions) It feels to me as in that case the whole `dag_edit` base_permission is undervalued in this case and the `dag_view` base_permission gives too much actual permissions. Imagine the following setup: - Everyone is able to see each others DAGs - Some people should be able to modify their own DAGs - They should not be able to modify their neighbours DAGs This setup is currently not supported. As a work around, on my work setup I currently implemented a SQLAlchemy listener to block update operations on TaskInstances where a user doesn't have `can_edit` privilege on this specific DAG. Therefore this PR changes the following items(copied from the link above) to require `DAGS.can_edit` where it currently says `DAGS.can_read` privileges. **Currently:** Action | Permissions | Minimum Role -- | -- | -- Clear DAG | DAGs.can_read, Task Instances.can_delete | User Clear DAG Run | DAGs.can_read, Task Instances.can_delete | User Mark DAG as blocked | Dags.can_read, DAG Runs.can_read | User Mark DAG Run as failed | Dags.can_read, DAG Runs.can_edit | User Mark DAG Run as success | Dags.can_read, DAG Runs.can_edit | User Clear Task Instance | DAGs.can_read, DAG Runs.can_read, Task Instances.can_edit | User Triggers Task Instance | DAGs.can_read, Task Instances.can_create | User Mark Task as failed | DAGs.can_read, Task Instances.can_edit | User Mark Task as success | DAGs.can_read, Task Instances.can_edit | User **Updated:** Action | Permissions | Minimum Role -- | -- | -- Clear DAG | DAGs.can_edit, Task Instances.can_delete | User Clear DAG Run | DAGs.can_edit, Task Instances.can_delete | User Mark DAG as blocked | Dags.can_edit, DAG Runs.can_read | User Mark DAG Run as failed | Dags.can_edit, DAG Runs.can_edit | User Mark DAG Run as success | Dags.can_edit, DAG Runs.can_edit | User Clear Task Instance | DAGs.can_edit, Task Instances.can_edit | User Triggers Task Instance | DAGs.can_edit, Task Instances.can_create | User Mark Task as failed | DAGs.can_edit, Task Instances.can_edit | User Mark Task as success | DAGs.can_edit, Task Instances.can_edit | User If there is interest in merging this PR, I will also make a corresponding PR on the docs side to update the page. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
