willyyang opened a new issue, #51325:
URL: https://github.com/apache/airflow/issues/51325
### Apache Airflow version
3.0.1
### If "Other Airflow 2 version" selected, which one?
_No response_
### What happened?
DAG-level access control using the `access_control` parameter is not working
as expected. Users with specific DAG permissions (e.g., `can read on
DAG:test_dag_1`) cannot access the DAG list page without also having the global
`can read on DAGs` permission, which defeats the purpose of DAG-level access
control.
### What you think should happen instead?
Users should be able to access DAGs when they have specific DAG permissions
defined in the DAG's `access_control`, without requiring the global `can read
on DAGs` permission. The DAG list should show only the DAGs the user has
explicit access to.
### How to reproduce
# How to reproduce
1. Create a custom role (e.g., `ABC_Viewer`) with the following permissions:
[can read on DAG:test_dag_1, can read on DAG Dependencies, can read on DAG
Code, can read on DAG Runs, can read on DAG Versions, can read on DAG Warnings,
can read on Assets, can read on Asset Aliases, can read on Backfills, can read
on Cluster Activity, can read on Configurations, can read on Pools, can read on
ImportError, can read on Jobs, can read on My Password, can edit on My
Password, can read on My Profile, can edit on My Profile, can read on SLA
Misses, can read on Task Instances, can read on Task Logs, can read on XComs,
can read on Website, menu access on Browse, menu access on DAGs, menu access on
DAG Dependencies, menu access on DAG Runs, menu access on Assets, menu access
on Cluster Activity, menu access on Documentation, menu access on Docs, menu
access on Jobs, menu access on SLA Misses, menu access on Task Instances]
2. Create a DAG with access control:
```
pythondag = DAG(
dag_id='test_dag_1',
start_date=datetime(2024, 1, 1),
schedule=None,
catchup=False,
access_control={
'ABC_Viewer': {'can_read'}
}
)
task1 = EmptyOperator(
task_id='test_dag_1',
dag=dag
)
```
3. Assign the `ABC_Viewer` role to a user (verified in Security > Users
that the user has this role)
4. Login as that user and navigate to the DAG list page and you will see a
`403`
# Note
- **Without** global `can read on DAGs` permission: User gets a 403
Forbidden error when accessing the DAG list page
- **With** global `can read on DAGs` permission: User can see ALL DAGs, not
just the ones specified in access_control
# Expected Result
User should be able to access the DAG list page and see only test_dag_1 (the
DAG they have explicit access to via access_control), without needing the
global can read on DAGs permission.
### Operating System
Debian GNU/Linux 12
### Versions of Apache Airflow Providers
apache-airflow-providers-fab==2.0.2
### Deployment
Other Docker-based deployment
### Deployment details
_No response_
### Anything else?
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
