thetaiter opened a new issue, #24739: URL: https://github.com/apache/airflow/issues/24739
### Apache Airflow version 2.2.4 ### What happened We would like to set up DAG specific permissions for users of our Airflow instance. We use LDAP for authentication, and have gotten AUTH_ROLES_MAPPING working correctly. Our issue lies on the Airflow FAB roles side. I followed the instructions in this youtube video to set up DAG specific access: https://www.youtube.com/watch?v=s6TygwvYdN0 In that video, I was instructed to make a copy of the `User` role, rename it, remove the `can read on DAGs` and `can edit on DAGs` permissions, and then add DAG specific permissions to read and edit the specific DAG I want to grant access to. After assigning this role to a user, this works just fine as expected. Our desired use-case is slightly different. What I would like to do is split these permissions between 2 new roles instead of just one. So, I'd like to make a copy of the `User` role (let's call it `BaseRole`) and remove the `can edit on DAGs` and `can delete on DAGs` permissions. Then, I would like to make a new empty role (with no permissions) and then add only the DAG specific permissions `can read on DAG:<dag-name>` and `can edit on DAG:<dag-name>`. Finally, I'd like to add both of these roles to a user, and I expect the exact same results as in the previous paragraph. However, this does not work. The user is able to turn the DAG on and off, but is unable to view the DAG or perform any actions like running a task. ### What you think should happen instead We should be able to split permissions between 2 different roles rather than requiring a single role to have all appropriate permissions. Functionality with all desired permissions in one role should be identical to those same permissions split between 2 roles. ### How to reproduce 1. Make a copy of the `User` role (let's call it `BaseRole`) and remove the `can edit on DAGs` and `can delete on DAGs` permissions. 2. Make a new empty role (with no permissions, let's call it `TestRole`) and then add only the DAG specific permissions for 1 DAG (`can read on DAG:<dag-name>` and `can edit on DAG:<dag-name>`). 3. Create a new user called `TestUser` with only the above 2 roles `BaseRole` and `TestRole` 4. Log into Airflow as the `TestUser` and try to access the `<dag-name>` DAG. You should see it in the interface as expected, and will be able to turn it on or off from the homepage, but if you try to click into it to see the tasks, it will fail with `Access is denied`. ### Operating System Running in Docker on Kubernetes ### Versions of Apache Airflow Providers None relevant to this issue ### Deployment Other 3rd-party Helm chart ### Deployment details We have written a customized Helm chart for our purposes with some extra resources like service accounts and things. We are extending the existing official Airflow Helm chart: ``` dependencies: - name: airflow version: 1.5.0 repository: https://airflow.apache.org/ ``` ### Anything else _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
