BBAtSFP opened a new issue #18962: URL: https://github.com/apache/airflow/issues/18962
### Describe the issue with documentation 1. The [permissions documentation](https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions) does not neccessarily describe exactly, what you see in AirFlow (List Roles and/or Edit Role). Example: Use "List Roles" to see the current permissions of the "Viewer" default role: ``` can pickle info on Airflow menu access on DAG Runs menu access on Browse, menu access on Jobs menu access on SLA Misses, menu access on Task Instances menu access on Documentation menu access on Docs can version on VersionView menu access on Version menu access on About can read on DAGs can read on DAG Runs can read on Task Instances can read on Audit Logs can read on ImportError can read on XComs can read on DAG Code can read on Plugins can read on DAG Dependencies can read on Jobs can read on My Password can edit on My Password can read on My Profile can edit on My Profile can read on SLA Misses can read on Task Logs can read on Website menu access on Audit Logs menu access on Plugins ``` You will not find these terms "as-is" on the documentation page. Also, some specific terms cannot be identified (e.g. "pickle"). 2. It requires try & error (and the documentation page) to create a role, which only allows to view & execute a specific DAG. A complete, verified example would be nice. ### How to solve the problem 1. Please explain/add the terms as seen in AirFlow to the documentation. E.g. ``` can pickle info on Airflow = actually, no idea menu access on DAG Runs = Browser -> DAG Runs menu access. Requires also "menu access on Browse" (may also require additional permissions, e.g. on /dags like DAGs.can_read (list all) or "can read on DAG:example_dag_id" = DAG:example_dag_id.can_read, I guess) ... can read on DAG Runs = Actually permission for an endpoint and equals Runs.can_read mentioned on the page ... can read on My Password = not exactly sure, what this does can edit on My Password = Permission to change your own pwd, I guess, but in UI should require also can read on My Profile = access profile page (Menu -> Your Profile) can edit on My Profile = edit profile ``` 2. Example for "Exec specific DAG" role: By using some try & error I identified these permissions required to see/exec a specifiy DAG, only (please verify): ``` can edit on DAG:example_dag_id: Seems to be required to execute the DAG can read on DAG:example_dag_id: Required to see the DAG can read on DAG Runs: Required, as otherwise "Runs" icons in overview will keep spinning can read on Task Instances: Required, as otherwise "Recent Tasks" icons in overview will keep spinning can create on DAG Runs: Required, as otherwise the "Trigger DAG" button is not available for the DAG can read on DAG Code: Optional, view the DAG code can read on My Password: Not sure, may not be needed can read on My Profile: Access own profile page can read on Task Logs: Required to access the DAG logs can read on Website: Required, as otherwise you can log in, but you are buried under error messages menu access on Documentation: Optional, nice to have menu access on Docs: Optional, nice to have (difference to the previous permission?) menu access on About: Optional, nice to have ``` ### Anything else You may also consider to add an additional header above the "Stable API Permissions" and "Website Permissions" tables, e.g. "Endpoint & default role permissions". Currently, it seems that the tables relate to "DAG-level permissions" (permissions per DAG). Example: - "Trigger DAG run" shows "Dags.can_edit, DAG Runs.can_create" as "Permissions" and mentions the "User" role. This combination provides the ability for **all** DAGs. - "Trigger DAG run" for a specific DAG would require "example_dag_id.can_edit" ("Can edit on DAG:example_dag_id") and DAG Runs.can_create ("Can create on DAG Runs"), only. ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
