potiuk commented on code in PR #34317:
URL: https://github.com/apache/airflow/pull/34317#discussion_r1355923325
##########
airflow/api_connexion/endpoints/task_instance_endpoint.py:
##########
@@ -61,13 +61,8 @@
T = TypeVar("T")
[email protected]_access(
- [
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE),
- ],
-)
[email protected]_access_dag("GET", DagAccessEntity.RUN)
[email protected]_access_dag("GET", DagAccessEntity.TASK_INSTANCE)
Review Comment:
BTW. This also reflects the change in the new approach of the permission
model after AIP-56 implementation. We are no more "resource" driven. We are
"action" driven. Auth manager should not be checking if you are access to
specrific **resources**, it instead checks if you are allowed to execute
specific **action**.
Rather than enumerating the resources necessary to execute the action, auth
manager simply responds to the question "can this user execute this action?".
For example:
* Is the user able to "modify" this task_instance (and all that it implies)?
* Is the user able to "read" this dag run (and all that it implies)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
