sunny760408 opened a new issue #22067:
URL: https://github.com/apache/airflow/issues/22067
### Apache Airflow version
2.2.2
### What happened
Hi everyone,
* In order to separate permission, I create two roles:
1. CustomRole: Copy from User, and then delete "an read on DAGs, can read on
DAG Runs"
Permissions is as below:
```
[can read on DAG Runs, can read on Task Instances, can edit on Task
Instances, can delete on DAG Runs,
can create on DAG Runs, can read on Audit Logs, **can read on ImportError,**
can read on XComs, can read on DAG Code,
can read on Plugins, can read on DAG Dependencies, can read on Jobs, can
read on My Password, can edit on My Password,
can read on My Profile, can edit on My Profile, can read on SLA Misses, can
read on Task Logs,
can read on Website, menu access on Browse, menu access on DAG Runs, menu
access on Documentation,
menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu
access on Plugins, menu access on SLA Misses,
menu access on Task Instances, can delete on DAGs, can create on Task
Instances, can delete on Task Instances,
can edit on DAG Runs]
```
2. TeamA: Default have "can read on Website", and each DAG upload to airflow
will add **can read on DAG** and **can edit on DAG**
Permissions is as below:
```
[can read on Website]
```
TeamA_DAG_apple.py access control:
```
...
with DAG(
dag_id="TeamA_DAG_apple",
schedule_interval=None,
start_date = days_ago(1),
catchup = False,
tags=["TeamA"],
access_control={
'TeamA': {'can_read', 'can_edit'}
}
....
```
Now I upload a DAG name TeamA_DAG_apple, the permissions will change as
below:
```
[can read on Website, can read on DAG:TeamA_DAG_apple, can edit on
DAG:TeamA_DAG_apple]
```
* User who can use DAG "TeamA_DAG_apple" have two roles [CustomRole,TeamA]
* Here is the issue:
* If first time upload DAG "TeamA_DAG_apple" is correct , the DAG can be
added to permission in role "TeamA",
and then you modify schedule_interval with wrong format, such as
schedule_interval="10 30 * * *", you can see
DAG Import Error show in WebUI.
* But If first time upload DAG "TeamA_DAG_apple" is NOT correct you can't
see DAG Import Error show in WebUI, because DAG not be added to permission in
role "TeamA", an error DAG not able to be added to permission.
* Only user who have permission [can read on DAG**s**] can see DAG Import
Error.
I guess airflow check DAG first not add permission first, so change the
order maybe can solve this issue.
### What you expected to happen
_No response_
### How to reproduce
_No response_
### Operating System
PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux"
VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian
### Versions of Apache Airflow Providers
_No response_
### Deployment
Official Apache Airflow Helm Chart
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
