[I] DAG-level permissions for `/dags/{dag_id}/clearTaskInstances` is incorrect [airflow]

Thu, 17 Oct 2024 22:26:56 -0700 


wolfier opened a new issue, #43140:
URL: https://github.com/apache/airflow/issues/43140

   ### What do you see as an issue?
   
   The documentation on [DAG level 
permissions](https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/access-control.html#dag-level-permissions)
 states that the permissions `DAGs.can_edit`, `DAG Runs.can_read`, `Task 
Instances.can_edit` are required for the endpoint 
`/dags/{dag_id}/clearTaskInstances`.
   
   
   
   ### Solving the problem
   
   The permissions for the endpoint `/dags/{dag_id}/clearTaskInstances` are 
`DAGs.can_edit`, `DAG Runs.can_edit`, `Task Instances.can_edit`. The method is 
also "PUT" not "POST".
   
   In Airflow 2.8.0, the [clear 
endpoint](https://github.com/apache/airflow/blob/2.9.3/airflow/api_connexion/endpoints/task_instance_endpoint.py#L444)
 updated (see [PR](https://github.com/apache/airflow/pull/34317)) to use the 
requires_access_dag function which leverages 
[is_authorized_dag](https://github.com/apache/airflow/blob/providers-fab/1.2.2/airflow/providers/fab/auth_manager/fab_auth_manager.py#L203).
 More importantly, the SAME resource method is used to check against each 
resource entity. The clear method passes the "PUT" resource method which 
[translates](https://github.com/apache/airflow/blob/2.9.3/airflow/auth/managers/utils/fab.py#L34-L40)
 to "ACTION_CAN_EDIT".
    
   The logic translates to requiring the following permissions.
   (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG)
   (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG_RUN)
   (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE)
   
   ### Anything else
   
   I did not check the other DAG level permissions. I recommend verifying each 
entry.
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to