darshil929 commented on PR #69175:
URL: https://github.com/apache/airflow/pull/69175#issuecomment-4846788561

   Yeah, that's fair, and I think you're right about the consumer side. If you 
schedule a Dag on an asset, you're basically signing up to be triggered 
whenever that asset updates, so having the consumer's access_control override 
that doesn't really make sense.
   
   Where I was coming from is more the producer side. Normally, to emit one of 
these events you'd have to run a producing Dag, which means you need permission 
on that Dag. The API lets anyone with the global "create on Assets" permission 
emit the event directly and skip that, and that's the part that felt off to me.
   
   It did come up earlier in the thread as something POST should check 
(https://github.com/apache/airflow/issues/42846#issuecomment-3489814766), so 
there might be a couple of different views on this. Happy to go with whatever 
you all land on.
   
   If the producer side seems worth tightening, I can trim the PR down to just 
that check and drop the consumer part. And if you'd rather call the whole thing 
working as intended, I'm fine closing it out. Just let me know which way you'd 
prefer.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to