Re: [PR] AIP 84 - Add Auth to xcom, ti, dag_warning, dag_stats, dag_source, dag_run, dag_parsing [airflow]

Tue, 11 Mar 2025 03:01:14 -0700 


pierrejeambrun commented on code in PR #47532:
URL: https://github.com/apache/airflow/pull/47532#discussion_r1988799555


##########
airflow/api_fastapi/core_api/openapi/v1-generated.yaml:
##########
@@ -2135,12 +2139,16 @@ paths:
       summary: Delete Dag Run
       description: Delete a DAG Run entry.
       operationId: delete_dag_run
+      security:
+      - OAuth2PasswordBearer: []
       parameters:
       - name: dag_id
         in: path
         required: true
         schema:
-          type: string
+          anyOf:
+          - type: string
+          - type: 'null'

Review Comment:
   This kind of change shouldn't be there. Rebase, it has been fixed on main.



##########
airflow/api_fastapi/core_api/routes/public/dag_run.py:
##########
@@ -383,7 +404,11 @@ def trigger_dag_run(
         raise HTTPException(status.HTTP_400_BAD_REQUEST, str(e))
 
 
-@dag_run_router.post("/list", 
responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]))
+@dag_run_router.post(
+    "/list",
+    responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
+    dependencies=[Depends(requires_access_dag(method="POST", 
access_entity=DagAccessEntity.RUN))],

Review Comment:
   @security.requires_access_dag("GET", DagAccessEntity.RUN)
   
   
   I don't think we need "post" access for this. It's actually a read.



##########
airflow/api_fastapi/core_api/routes/public/dag_run.py:
##########
@@ -217,7 +228,10 @@ def get_upstream_asset_events(
 @dag_run_router.post(
     "/{dag_run_id}/clear",
     responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
-    dependencies=[Depends(action_logging())],
+    dependencies=[
+        Depends(requires_access_dag(method="POST", 
access_entity=DagAccessEntity.RUN)),
+        Depends(action_logging()),

Review Comment:
   Why is that a POST ? Clearing a dagrun run mutate the run ? 
   
   It was a PUT in the legacy implementation. (It was a POST method but a PUT 
permission which makes sense)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to