[GitHub] [airflow] jhtimmins commented on issue #8112: Authorization and Permissions

Mon, 13 Jul 2020 07:21:08 -0700 


jhtimmins commented on issue #8112:
URL: https://github.com/apache/airflow/issues/8112#issuecomment-657589456


   Some thoughts on this:
   
   ## Challenge
   For the new API, we need to decide how to structure permissions for the API 
and how they should integrate with the existing user permissions schema.
   
   ## Approaches
   1. Tie permissions to specific resources and actions. “Read DAG”, “Update 
TI”, etc.
   2. Tie permissions to specific endpoints. 
   3. Create ad hoc permissions that encapsulate specific actions in the web UI.
   
   The existing permission structure seems to most-closely follow approach 3. 
This is problematic, since the web-focused permissions do not apply cleanly to 
API endpoints.
   
   @ashb  and I discussed this, and agree that approach 1 makes the most sense 
for our specific API system. Individuals can have permission to perform 
specific actions on specific resources. For individual endpoints, decorators 
can be used to define the set of permissions required to make use of the 
endpoint.
   
   For example, to submit a PATCH request to 
`/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances{task_instance_id}`, the user 
will need edit access for Dags, Dag runs, and Task instances.
   
   So the view function might match the following.
   ```
   @needs_permissions(['dag_edit', 'dag_run_edit', 'ti_edit'])
   def update_ti_view(request):
   ```
   
   ## Breaking Changes
   This system will also work for the UI. While not allowing 1:1 permission 
overlap with the existing permission architecture, we will be able to update 
required permissions to work on a resource-action basis.
   
   This will be a breaking change, so we need to decide whether or not to 
continue supporting the existing permission architecture, possibly by creating 
the new permissions as a standalone subsystem.
   
   ## Dag-level permissions
   Since dags are the only resource where permission can be given out on a 
per-object basis, the permission system can distinguish between collection 
access and object access behind the scenes.
   
   ## User Roles
   User roles can be updated to use resource-action permissions.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to