ashb commented on a change in pull request #10594:
URL: https://github.com/apache/airflow/pull/10594#discussion_r486463936
##########
File path: docs/security/access-control.rst
##########
@@ -114,3 +114,61 @@ using the ``airflow roles create`` command, e.g.:
And we could assign the given role to a new user using the ``airflow
users add-role`` CLI command.
+
+Permissions
+'''''''''''
+
+Resource-Based permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+Starting with version 2.0, permissions are based on individual resources and a
small subset of actions on those resources. Resources match standard Airflow
concepts, such as ``Dag``, ``DagRun``, ``Task``, and ``Connection``. Actions
include ``can_create``, ``can_read``, ``can_edit``, and ``can_delete``.
Permissions (each consistint of a resource + action pair) are then added to
roles.
+
+Simple table:
+
+==================================================================================
======
====================================================================================
+ Inputs
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+View
Method Permissions
+==================================================================================
======
====================================================================================
+/config
GET Config.can_read
+/connections
GET Connection.can_read
+/connections
POST Connection.can_create
+/connections/{connection_id}
DELETE Connection.can_delete
+/connections/{connection_id}
GET Connection.can_read
+/connections/{connection_id}
PATCH Connection.can_edit
+/dagSources/{file_token}
GET DagCode.can_read
+/dags
GET Dag.can_read
+/dags/{dag_id}
GET Dag.can_read
+/dags/{dag_id}
PATCH Dag.can_edit
+/dags/{dag_id}/clearTaskInstances
POST Dag.can_read, DagRun.can_read, TaskInstance.can_edit
+/dags/{dag_id}/details
GET Dag.can_read
+/dags/{dag_id}/tasks
GET Dag.can_read, Task.can_read
+/dags/{dag_id}/tasks/{task_id}
GET Dag.can_read, Task.can_read
Review comment:
I don't think we need Task as a separate permission entity -- it's not
separately useful enough I don't think
##########
File path: docs/security/access-control.rst
##########
@@ -114,3 +114,61 @@ using the ``airflow roles create`` command, e.g.:
And we could assign the given role to a new user using the ``airflow
users add-role`` CLI command.
+
+Permissions
+'''''''''''
+
+Resource-Based permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+Starting with version 2.0, permissions are based on individual resources and a
small subset of actions on those resources. Resources match standard Airflow
concepts, such as ``Dag``, ``DagRun``, ``Task``, and ``Connection``. Actions
include ``can_create``, ``can_read``, ``can_edit``, and ``can_delete``.
Permissions (each consistint of a resource + action pair) are then added to
roles.
+
+Simple table:
+
+==================================================================================
======
====================================================================================
+ Inputs
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+View
Method Permissions
+==================================================================================
======
====================================================================================
+/config
GET Config.can_read
+/connections
GET Connection.can_read
+/connections
POST Connection.can_create
+/connections/{connection_id}
DELETE Connection.can_delete
+/connections/{connection_id}
GET Connection.can_read
+/connections/{connection_id}
PATCH Connection.can_edit
+/dagSources/{file_token}
GET DagCode.can_read
+/dags
GET Dag.can_read
+/dags/{dag_id}
GET Dag.can_read
+/dags/{dag_id}
PATCH Dag.can_edit
+/dags/{dag_id}/clearTaskInstances
POST Dag.can_read, DagRun.can_read, TaskInstance.can_edit
+/dags/{dag_id}/details
GET Dag.can_read
+/dags/{dag_id}/tasks
GET Dag.can_read, Task.can_read
+/dags/{dag_id}/tasks/{task_id}
GET Dag.can_read, Task.can_read
Review comment:
```suggestion
/dags/{dag_id}/tasks
GET Dag.can_read
/dags/{dag_id}/tasks/{task_id}
GET Dag.can_read
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
