ahipp13 commented on issue #29897: URL: https://github.com/apache/airflow/issues/29897#issuecomment-2262953586
> > So if the DAG hasn't been uploaded yet, and it gets an ImportError > > Do you mean if the DAG is present in the directory configured to be the dags folder but has never been successfully parsed? If that is the case, the DAG would never have been inserted in the `dags` table. The insertion only happens after a DagFileProcessorProcess has successfully parsed the file. > > Even if the permission is created somehow or had existed before, if the DAG is not in the `dags` table, those permissions are meaningless. > > I am able to replicate the behaviour only after truncating the `dag` table or deleting the entry of the associated DAG with the import error. > > According to the [source code](https://github.com/apache/airflow/blob/main/airflow/api_connexion/endpoints/import_error_endpoint.py#L94-L99), this is expected behaviour. If the DAG entry does not exist in the `dag` table, the query will never return the DAG with the import error even it is selecting the DAG. A user with the Admin role can see the import error because the query result is not filtered. @wolfier yes that makes total sense, its just our use case requires us to do it this way so we run into this quite a lot... We have 2 teams using our Airflow instances, and we don't want them to see each other's DAG's. So the only way we found to do this is to set the permissions within the DAGs themselves. Just an idea for you or anybody else that comes across this. Would it be possible to be able to use regular expressions for permissions? For example, the 2 teams that use the Airflow instance always use the same prefix (their team name) so the DAG names are always {team_name}_{dag_name}. Could you add functionality to be able to do a permission like "can read on DAG:teamname.*" to give the role the ability to read all DAGs that start with "teamname"? Just an idea to throw out there. If I get some free time I can try and explore this more but wanted to get it out there -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
