pierrejeambrun opened a new pull request, #60979:
URL: https://github.com/apache/airflow/pull/60979
The problem:
A user that lacks permissions on 'dag runs' cannot see the list dags in the
UI at all.
At first I considered simply filtering the 'recent_dag_runs' in the response
based on the `read on DagRun` permissions. So you wouldn't get a 403, but just
an empty list of 'recent runs' for each dags returned. Most likely updating the
`readable_dag_runs_filter` to take into consideration the `access entity`. This
propagate down to auth manager implementation since we need to be able to pass
AccessEntity to `get_authorized_dag_ids`. The base implementation is fine, the
fab auth manager overriding is a problem. Also this will bring backward
compatibility issues. I dropped this idea.
Another option is to simply inline a call in the for loop to filter dag runs
based on runs permissions, something like:
```python
for row in recent_dag_runs:
is_authorized_runs = get_auth_manager().is_authorized_dag(
method="GET",
access_entity=DagAccessEntity.RUN,
details=DagDetails(id=dag_id,
team_name=DagModel.get_team_name(row.dag_id, session=session)),
user=user,
)
if not is_authorized_runs:
continue
```
But since there are possibly a lot of runs in the `recent_dag_runs` object
and this adds multiple db queries (get_team, and then is_authorized_dag), that
could possibly explode the number of request.
The approach I opted for is much simpler. This just considers that having
"Dag" access on a dag, gives you the permissions to see the run 'summaries'
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
