vincbeck commented on code in PR #66949:
URL: https://github.com/apache/airflow/pull/66949#discussion_r3242932026
##########
airflow-core/docs/authoring-and-scheduling/assets.rst:
##########
@@ -402,53 +402,109 @@ As mentioned in :ref:`Fetching information from
previously emitted asset events<
events = inlet_events[AssetAlias("example-alias")]
last_row_count = events[-1].extra["row_count"]
-.. _asset_allow_producer_teams:
+.. _asset_access_control:
-Cross-team asset event filtering with ``allow_producer_teams``
---------------------------------------------------------------
+Cross-team asset event filtering with ``access_control``
+--------------------------------------------------------
.. versionadded:: 3.3.0
When :doc:`Multi-Team mode </core-concepts/multi-team>` is enabled, asset
events are filtered by team
membership. By default, a consuming Dag only receives asset events produced by
Dags within the same team
or by global (teamless) Dags. This prevents unintended cross-team triggers.
-To allow specific other teams to produce events that trigger your Dag, use the
``allow_producer_teams`` parameter
-on the ``Asset`` definition:
+To configure cross-team access, use the ``access_control`` parameter on the
``Asset`` definition with an
+``AssetAccessControl`` instance:
.. code-block:: python
- from airflow.sdk import Asset
+ from airflow.sdk import Asset, AssetAccessControl
shared_data = Asset(
name="my_data",
uri="s3://bucket/shared/data.csv",
- allow_producer_teams=["team_analytics", "team_ml"],
+ access_control=AssetAccessControl(
+ producer_teams=["team_analytics", "team_ml"],
+ ),
)
In this example, asset events produced by Dags belonging to ``team_analytics``
or ``team_ml`` will be
accepted by any consuming Dag that schedules on ``shared_data``, in addition
to events from the consuming
Dag's own team.
+``AssetAccessControl`` parameters
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``AssetAccessControl`` class accepts the following parameters:
+
+- **producer_teams** (``list[str]``, default ``[]``): List of team names
allowed to produce events
+ consumed by this asset's consumers, in addition to the consumer's own team.
+- **allow_global** (``bool``, default ``True``): Whether teamless (global) Dag
producers can trigger
Review Comment:
For now I just introduce `AssetAccessControl` and move
`allow_producer_teams` there. As a follow-up, I'll add `allow_consumer_teams`
but that's a separate PR. Basically I'll rebase and update
https://github.com/apache/airflow/pull/66821 to add that
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
