ashb commented on a change in pull request #10594:
URL: https://github.com/apache/airflow/pull/10594#discussion_r486465179
##########
File path: docs/security/access-control.rst
##########
@@ -114,3 +114,61 @@ using the ``airflow roles create`` command, e.g.:
And we could assign the given role to a new user using the ``airflow
users add-role`` CLI command.
+
+Permissions
+'''''''''''
+
+Resource-Based permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+Starting with version 2.0, permissions are based on individual resources and a
small subset of actions on those resources. Resources match standard Airflow
concepts, such as ``Dag``, ``DagRun``, ``Task``, and ``Connection``. Actions
include ``can_create``, ``can_read``, ``can_edit``, and ``can_delete``.
Permissions (each consistint of a resource + action pair) are then added to
roles.
+
+Simple table:
+
+==================================================================================
======
====================================================================================
+ Inputs
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+View
Method Permissions
+==================================================================================
======
====================================================================================
+/config
GET Config.can_read
+/connections
GET Connection.can_read
+/connections
POST Connection.can_create
+/connections/{connection_id}
DELETE Connection.can_delete
+/connections/{connection_id}
GET Connection.can_read
+/connections/{connection_id}
PATCH Connection.can_edit
+/dagSources/{file_token}
GET DagCode.can_read
+/dags
GET Dag.can_read
+/dags/{dag_id}
GET Dag.can_read
+/dags/{dag_id}
PATCH Dag.can_edit
+/dags/{dag_id}/clearTaskInstances
POST Dag.can_read, DagRun.can_read, TaskInstance.can_edit
+/dags/{dag_id}/details
GET Dag.can_read
+/dags/{dag_id}/tasks
GET Dag.can_read, Task.can_read
+/dags/{dag_id}/tasks/{task_id}
GET Dag.can_read, Task.can_read
+/dags/{dag_id}/dagRuns
GET Dag.can_read, DagRun.can_read
+/dags/{dag_id}/dagRuns
POST Dag.can_read, DagRun.can_create
+/dags/{dag_id}/dagRuns/{dag_run_id}
DELETE Dag.can_read, DagRun.can_delete
+/dags/{dag_id}/dagRuns/{dag_run_id}
GET Dag.can_read, DagRun.can_read
+/dags/{dag_id}/dagRuns/list
POST Dag.can_read, DagRun.can_read
+/eventLogs
GET Log.can_read
+/eventLogs/{event_log_id}
GET Log.can_read
+/importErrors
GET ImportError.can_read
+/importErrors/{import_error_id}
GET ImportError.can_read
+/health
GET None
+/version
GET None
+/pools
GET Pool.can_read
+/pools
POST Pool.can_create
+/pools/{pool_name}
DELETE Pool.can_delete
+/pools/{pool_name}
GET Pool.can_read
+/pools/{pool_name}
PATCH Pool.can_edit
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances
GET Dag.can_read, DagRun.can_read, TaskInstance.can_read
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}
GET Dag.can_read, DagRun.can_read, TaskInstance.can_read
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/links
GET DagBag.can_read, Dag.can_read, DagRun.can_read, Task.can_read,
TaskInstance.can_read
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/logs/{task_try_number}
GET Dag.can_read, DagRun.can_read, Task.can_read
+/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/list
POST DagBag.can_read, Dag.can_read, DagRun.can_read, Task.can_read,
TaskInstance.can_read
Review comment:
```suggestion
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/list
POST Dag.can_read, DagRun.can_read, Task.can_read, TaskInstance.can_read
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
