npodewitz opened a new pull request #21797: URL: https://github.com/apache/airflow/pull/21797
This PR addresses two bugs concerning dag level access permissions. 1. Dag level permissions are not checked properly if a post request is sent from within the web ui (i.e. clear a task or dag run). If a user has can_read on any dag any operation that involves a post request is allowed even though the user does not have the can_write permission for this dag as far as the appropriate other permissions like edit_task_instance or edit_dag_run were granted. This is caused by the dag_id being extracted from `request.args` which only exists for get requests (i.e. change the status of a task). Otherwise `None` is used as dag_id in `appbuilder.sm.check_authorization` which essentially leads to ignoring the dag level access permissions. 2. The inheritance of dag level access permissions for subdags makes dag level (edit) access unusable for any dag that contains a dot in its id. Consider two dags `A` and `A.B` where the later is not a subdag. The current implementation makes it impossible to define dag level access permissions for `A.B`. Instead the dag level permissions of `A` are silently applied to `A.B`. I couldn't find any hint in the documentation that either addresses this behaviour nor states that you can or sould not use a dot in the dag id. **Concerning 1.** We changed the extraction of dag_id from the request object to first try the query string, then the form data and lastly the json body if it exists. **Concerning 2.** We removed the special logic of splitting the dag id after the first dot. This essentially removes the dag level permission inheritance for subdags in favour of enabling dag level access permissions for all dags with dots in its ids. Since we could not think of an easy way to enable both and subdags are considered deprecated, as far as we understood, we think this to be the more sustainable version. At last let me thank you all for your great work and this outstanding piece of software. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
