benriou opened a new issue, #33580:
URL: https://github.com/apache/airflow/issues/33580
### Apache Airflow version
2.7.0
### What happened
After upgrading from Airflow 2.5 to 2.7.0, a service account is not allowed
to perform API Calls to `https://<redacted>/api/v1/dags/<dag_name>/dagRuns`
(403 error).
The role permission assigned to the service account was : `can create on DAG
Runs`, `can edit on DAG Runs`, `can read on Website`, this was enough to start
**any existing DAG** via the Airflow API.
Now we explicitly need to give per-dag permissions : `can edit on
DAG:<dag_name>`, `can create on DAG:<dag_name>`. Then, it's working again.
### What you think should happen instead
I did not notice any change between 2.5 to 2.7 related to the way Airflow
handles role permissions.
I suppose that "global permissions" (`can create on DAG Runs`) without
explicitly defining a dag_name, should continue to operate like before.
### How to reproduce
Create a user with a permission.
The permission should contain `can create on DAG Runs`, `can edit on DAG
Runs`.
Perform an API call as follows
```
export EXECUTION_DATE=$(date +"%Y-%m-%dT%H:%M:%S+0000")
export UUID=$(cat /proc/sys/kernel/random/uuid)
echo "Airflow execution date is: " $EXECUTION_DATE
echo "dag_run_id_is : " $UUID
curl -X 'POST' \
'https://<AIRFLOW_HOSTNAME>/api/v1/dags/<DAG_NAME>/dagRuns' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
--fail-with-body \
--user "CREDENTIALS_USER_NAME:CREDENTIALS_SECRET_KEY" \
-d '{
"conf": {},
"dag_run_id": "'"$UUID"'"
}'
~
```
You'll get a 403 error like :
```
Airflow execution date is: 2023-08-21T15:10:35+0000
dag_run_id_is :
{
"detail": null,
"status": 403,
"title": "Forbidden",
"type":
"https://airflow.apache.org/docs/apache-airflow/2.7.0/stable-rest-api-ref.html#section/Errors/PermissionDenied"
}
```
Edit the permissions assigned to the role, and add an explicit `can edit on
DAG:<dag_name>` then the 403 is gone.
### Operating System
Debian 11
### Versions of Apache Airflow Providers
_No response_
### Deployment
Official Apache Airflow Helm Chart
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]