vincbeck commented on issue #58985:
URL: https://github.com/apache/airflow/issues/58985#issuecomment-3756342483
I am not sure this is a bug but something intended. But we can definitely
change it. Several things about it:
- `access_control` is deprecated and I would not recommend using it.
Authorization are now delegated to auth managers so having FAB style
permissions defined in your DAG is not recommended. This parameter
(`access_control`) would only work if you use FAB auth manager, if someday you
switch to another auth manager, all your permissions defined in your DAGs will
be dismissed
- Why this behavior? When `access_control` is defined in your DAG, we give
the defined action (e.g. `can_read`) to the defined role (e.g. `TEAM_A`) access
to Dags in general. But that's it. We do not give permissions to underlying
resources such as dag runs, task instances, xcoms etc. Since `access_control`
has no way to define whether a Dag author wants to also give permissions to
these underlying resources we have 2 options:
- We either keep it that way
- We give permissions to all the underlying Dag resources
What do you think? Pinging @potiuk here as well to get his insights.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
