SamWheating commented on issue #32839: URL: https://github.com/apache/airflow/issues/32839#issuecomment-1690262436
> What happens to blanket roles in Scenario 2: empty access control if it is going to be authoritative and empty? Do all default rights/roles also get a block on them? Good question - currently the `can (read|edit|delete) on DAG` roles are treated as all-encompassing (something like `can read on DAG:*`), Here's the relevant portion of the auth code where DAG-level access is only checked if Airflow-wide access isn't permitted: https://github.com/apache/airflow/blob/b7df3905b0399fad8180eeefef925251a7e69c16/airflow/www/security.py#L766-L779 I think that this is a good policy, and access-controls at defined in DAG code should only pertain to DAG-level access, not airflow-wide access. So in the case of `access_control={}`, all of the dag-specific rules would be wiped, but the Airflow-wise permissions would still apply. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
