SUCHNA24 opened a new pull request, #63382:
URL: https://github.com/apache/airflow/pull/63382
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
This PR fixes DAG-level access control for task group views when using
FAB-based authorization.
Previously, users with DAG-specific permissions like `can_read` on
`DAG:<dag_id>` plus task-related permissions could still get a 404 when
accessing task group and grid-related views, unless they were also granted the
global `can_read` on `DAGs` (and often `DAG Runs`). This effectively forced
over‑broad permissions just to view per‑DAG task group details.
With this change, the authorization logic correctly respects DAG-specific
permissions for DAG-scoped sub-entities (task instances, runs, and task groups)
so that:
- A user with `can read DAG:<dag_id>` and the relevant task/run permissions
can access:
- Task group detail views (`/dags/{dag_id}/tasks/group/{group_id}`)
- Grid/structure views for that DAG
- Other DAG detail pages for that DAG
- The same user no longer needs global `can read DAGs` to reach those URLs,
so DAG visibility remains restricted to the intended set.
The behavior for truly global permissions (e.g. full `DAGs` access) is
unchanged.
**Testing**
- Manual: Verified that a restricted role with only DAG-specific access and
task/run read permissions can:
- Open `/dags/{specific_dag_id}/tasks/group/{group_id}` without 404
- Access the same DAG’s grid/structure views
- Still *not* see DAGs they are not explicitly allowed to read.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
