jedcunningham opened a new pull request, #64933:
URL: https://github.com/apache/airflow/pull/64933
## Summary
Fixes a regression introduced by #63335, which hardcoded `RESOURCE_ASSET =
"Assets"`
in `providers/common/compat/security/permissions.py`. This value is correct
for
Airflow 3, but breaks Airflow 2.x in two ways:
1. **Wrong resource name in Airflow 2.x.** `apache-airflow-providers-fab`
imports
`RESOURCE_ASSET` from this module at runtime. FAB's role sync updates
stock roles
to grant the `"Assets"` resource, but the correct Airflow 2.x name is
`"Datasets"`.
This creates an inconsistency and pollutes the permission model with a
resource that
doesn't belong in Airflow 2.x.
2. **Custom roles break.** Any role with `"Datasets"` permissions stops
working, since
auth checks now look for `"Assets"`. While you could re-grant permissions
against
`"Assets"` after upgrading, existing roles are silently broken.
## Fix
Gate on `AIRFLOW_V_3_0_PLUS`: return `"Assets"` for Airflow 3, and fall back
to
`RESOURCE_DATASET` from `airflow.security.permissions` (not deprecated in
Airflow 2.x)
for Airflow 2.x.
## Related
- Reverts the behavioral change from: #63335
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
