twang90 opened a new issue, #25560: URL: https://github.com/apache/airflow/issues/25560
### Apache Airflow version Other Airflow 2 version ### What happened I am using Airflow 2.2.4 and I am trying to achieve per-DAG permissions. I want to give a role permissions to clear some DAG's status on the UI (so that they can re-run a task). According to https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-role, "Clear DAG run" requires "DAGs.can_edit, Task Instances.can_delete", but when I gave the role permissions to `can edit on DAG:xxx, can delete on Task Instances`, it can clear DAG runs on all DAGs. I am wondering if it's a bug, or if there is some other ways to achieve this. Thanks! ### What you think should happen instead When I gave the role permissions to `can edit on DAG:xxx, can delete on Task Instances`, the role can clear the task status on DAG xxx, but it can't clear status on any other DAGs. ### How to reproduce On an existing Airflow service, 1. Use an account with Admin role, create a new role, e.g. TestClearRole 2. Pick a DAG, e.g. DagToTest; assume it has other DAGs, e.g. DagWithoutPermission. 3. Add `TestClearRole` with permissions, `can edit on DAG:DagToTest, can delete on Task Instances` 4. Using an account with TestClearRole role, clear the status of one task in `DagWithoutPermission`. The user should have permissions to clear its status. But I think the right behavior should be the user can not. ### Operating System Airflow UI ### Versions of Apache Airflow Providers _No response_ ### Deployment Official Apache Airflow Helm Chart ### Deployment details _No response_ ### Anything else _No response_ ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
