[I] DAG-specific permissions (DAG:*) not respected for task group view endpoints [airflow]

Fri, 15 May 2026 05:06:29 -0700 


bmoon4 opened a new issue, #62532:
URL: https://github.com/apache/airflow/issues/62532

   ### Apache Airflow version
   
   3.1.7
   
   ### If "Other Airflow 3 version" selected, which one?
   
   _No response_
   
   ### What happened?
   
   When using DAG-level access control with specific DAG permissions (e.g., 
`can read on DAG:my_dag_id`), users receive a 404 error when accessing the task 
group detail view at `/dags/{dag_id}/tasks/group/{group_id}`, even though they 
have the appropriate DAG-specific permission.
   
   
   
   The same user with `Admin` role (which has the general `can read on DAGs` 
permission) can access the same URL without issues.
   
   ### What you think should happen instead?
   
   Users with DAG-specific permissions like `can read on DAG:my_dag_id` should 
be able to access all views and endpoints related to that specific DAG, 
including:
   - Task group views (`/dags/{dag_id}/tasks/group/{group_id}`)
   - DAG graph/structure views
   - Other DAG detail pages
   
   The DAG-level access control should be consistantly enforced across all 
DAG-related endpoints, not just the DAG list view. 
   
   ### How to reproduce
   
   1. Create a custom role (e.g., `restricted_user`)
   2. Grant. the following permissions to the role:
   - `can read on DAG:specific_dag_id`
   - `can read on DAG Dependencies`
   - `can read on DAG Code`
   - `can red on Task Instances`
   - Other viewer permissions
   3. ** DO NOT grant ** : `can read on DAGs` (general permission)
   4. Assign a user to this role
   5. Log in as that user
   6. Try to access: 
`https://your-airflow/dags/specific_dag_id/tasks/group/some_task_group`
   
   **expected**: Task group view renders successfully
   **actual** : 404 not found
   
   7. Add `can read on DAGs` permission to the role
   8. Access the same URL again
   
   **result**: Now it works, but the user can now see ALL DAGs in the system 
(not desired)
   
   
   
   
   ### Operating System
   
   Linux / Kubernetes
   
   ### Versions of Apache Airflow Providers
   
   apache-airflow-providers-fab==3.2.0
   
   ### Deployment
   
   Other Docker-based deployment
   
   ### Deployment details
   
   _No response_
   
   ### Anything else?
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to