This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f7f7183617 Update permission docs (#36120)
f7f7183617 is described below
commit f7f71836175b81484fe6afb147a58e1ca6d00f4d
Author: Pankaj Singh <[email protected]>
AuthorDate: Sun Dec 17 21:08:00 2023 +0530
Update permission docs (#36120)
Add admin permission too on the page and fix some typo
---
.../fab/auth_manager/security_manager/override.py | 2 ++
docs/apache-airflow/security/access-control.rst | 35 +++++++++++++++-------
2 files changed, 26 insertions(+), 11 deletions(-)
diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py
b/airflow/providers/fab/auth_manager/security_manager/override.py
index a15168f9ca..58013cd89a 100644
--- a/airflow/providers/fab/auth_manager/security_manager/override.py
+++ b/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -278,6 +278,7 @@ class
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
]
# [END security_op_perms]
+ # [START security_admin_perms]
ADMIN_PERMISSIONS = [
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE),
(permissions.ACTION_CAN_ACCESS_MENU,
permissions.RESOURCE_TASK_RESCHEDULE),
@@ -288,6 +289,7 @@ class
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
(permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
]
+ # [END security_admin_perms]
###########################################################################
# DEFAULT ROLE CONFIGURATIONS
diff --git a/docs/apache-airflow/security/access-control.rst
b/docs/apache-airflow/security/access-control.rst
index 263f962339..86ddfde1b4 100644
--- a/docs/apache-airflow/security/access-control.rst
+++ b/docs/apache-airflow/security/access-control.rst
@@ -38,11 +38,6 @@ By default, only ``Admin`` users can configure/alter
permissions for roles. Howe
it is recommended that these default roles remain unaltered, and instead
``Admin`` users
create new roles with the desired permissions if changes are necessary.
-Admin
-^^^^^
-``Admin`` users have all possible permissions, including granting or revoking
permissions from
-other users.
-
Public
^^^^^^
``Public`` users (anonymous) don't have any permissions.
@@ -74,6 +69,16 @@ Op
:start-after: [START security_op_perms]
:end-before: [END security_op_perms]
+Admin
+^^^^^
+``Admin`` users have all possible permissions, including granting or revoking
permissions from
+other users. ``Admin`` users have ``Op`` permission plus additional
permissions:
+
+.. exampleinclude::
/../../airflow/providers/fab/auth_manager/security_manager/override.py
+ :language: python
+ :start-after: [START security_admin_perms]
+ :end-before: [END security_admin_perms]
+
Custom Roles
'''''''''''''
@@ -152,12 +157,12 @@ Endpoint
/importErrors/{import_error_id}
GET ImportError.can_read
Viewer
/health
GET None
Public
/version
GET None
Public
-/pools
GET Pool.can_read Op
-/pools
POST Pool.can_create Op
-/pools/{pool_name}
DELETE Pool.can_delete Op
-/pools/{pool_name}
GET Pool.can_read Op
-/pools/{pool_name}
PATCH Pool.can_edit Op
-/providers
GET Provider.can_read Op
+/pools
GET Pools.can_read Op
+/pools
POST Pools.can_create Op
+/pools/{pool_name}
DELETE Pools.can_delete Op
+/pools/{pool_name}
GET Pools.can_read Op
+/pools/{pool_name}
PATCH Pools.can_edit Op
+/providers
GET Providers.can_read Op
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances
GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read
Viewer
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}
GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read
Viewer
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/links
GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read
Viewer
@@ -173,7 +178,15 @@ Endpoint
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries/{xcom_key}
GET DAGs.can_read, DAG Runs.can_read, Viewer
Task Instances.can_read, XComs.can_read
/users
GET Users.can_read
Admin
+/users
POST Users.can_create
Admin
/users/{username}
GET Users.can_read
Admin
+/users/{username}
PATCH Users.can_edit
Admin
+/users/{username}
DELETE Users.can_delete
Admin
+/roles
GET Roles.can_read
Admin
+/roles
POST Roles.can_create
Admin
+/roles/{role_name}
GET Roles.can_read
Admin
+/roles/{role_name}
PATCH Roles.can_edit
Admin
+/roles/{role_name}
DELETE Roles.can_delete
Admin
==================================================================================
====== =================================================================
============
