o-nikolas commented on code in PR #66821: URL: https://github.com/apache/airflow/pull/66821#discussion_r3230490237
########## airflow-core/docs/authoring-and-scheduling/assets.rst: ########## @@ -449,6 +449,91 @@ The rules depend on whether the producer and consumer have a team association: When Multi-Team mode is disabled, ``allow_producer_teams`` is ignored and all asset events are delivered to all consuming Dags, preserving backward compatibility. +.. _asset_allow_consumer_teams: + +Cross-team asset event filtering with ``allow_consumer_teams`` +-------------------------------------------------------------- + +.. versionadded:: 3.3.0 + +While ``allow_producer_teams`` controls which producer teams a consumer is willing to accept events from, +``allow_consumer_teams`` controls which consumer teams a producer is willing to deliver events to. It is +specified on the **producer** side — on the ``Asset`` used in a task's ``outlets``. + +.. code-block:: python + + from airflow.sdk import DAG, Asset, task + + restricted_output = Asset( + name="restricted_output", + uri="s3://bucket/restricted/output.csv", + allow_consumer_teams=["team_downstream", "team_reporting"], + ) + + with DAG(dag_id="producer_dag", schedule="@daily"): + + @task(outlets=[restricted_output]) + def produce_data(): + """Only team_downstream and team_reporting can consume events from this task.""" + +In this example, only consuming Dags belonging to ``team_downstream`` or ``team_reporting`` (plus any +teamless consumers) will receive asset events produced by the ``produce_data`` task. + +Default behavior +~~~~~~~~~~~~~~~~ + +When ``allow_consumer_teams`` is not specified (or set to an empty list), no consumer-team filtering is +applied — all consumers that pass the other filtering checks (same-team, ``allow_producer_teams``) will +receive the event. + +- **Empty list (default)**: All consumers pass through (no restriction from the producer side). +- **Non-empty list**: Only consumers whose team is in the list, or teamless consumers, receive the event. +- **Teamless consumers**: Always pass through regardless of ``allow_consumer_teams``. + +Per-producer scoping +~~~~~~~~~~~~~~~~~~~~ + +``allow_consumer_teams`` is scoped per producing task, not per asset. If multiple tasks produce events for +the same asset, each task's ``allow_consumer_teams`` applies independently: Review Comment: Good callout, I wouldn't have expected this behaviour 👍 ########## airflow-core/docs/authoring-and-scheduling/assets.rst: ########## @@ -449,6 +449,91 @@ The rules depend on whether the producer and consumer have a team association: When Multi-Team mode is disabled, ``allow_producer_teams`` is ignored and all asset events are delivered to all consuming Dags, preserving backward compatibility. +.. _asset_allow_consumer_teams: + +Cross-team asset event filtering with ``allow_consumer_teams`` +-------------------------------------------------------------- + +.. versionadded:: 3.3.0 + +While ``allow_producer_teams`` controls which producer teams a consumer is willing to accept events from, +``allow_consumer_teams`` controls which consumer teams a producer is willing to deliver events to. It is +specified on the **producer** side — on the ``Asset`` used in a task's ``outlets``. + +.. code-block:: python + + from airflow.sdk import DAG, Asset, task + + restricted_output = Asset( + name="restricted_output", + uri="s3://bucket/restricted/output.csv", + allow_consumer_teams=["team_downstream", "team_reporting"], + ) + + with DAG(dag_id="producer_dag", schedule="@daily"): + + @task(outlets=[restricted_output]) + def produce_data(): + """Only team_downstream and team_reporting can consume events from this task.""" + +In this example, only consuming Dags belonging to ``team_downstream`` or ``team_reporting`` (plus any +teamless consumers) will receive asset events produced by the ``produce_data`` task. Review Comment: I think we talked about this one and changed course on the allow_producer side. I don't think any teamless consumer should be able to get around this. Otherwise someone from a team which you're trying to not allow can just move their dag to being outside their team and get free access to the events? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
