[
https://issues.apache.org/jira/browse/AIRFLOW-3072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16622515#comment-16622515
]
ASF GitHub Bot commented on AIRFLOW-3072:
-----------------------------------------
jgao54 closed pull request #3913: [AIRFLOW-3072] Assign permission
get_logs_with_metadata to viewer role
URL: https://github.com/apache/incubator-airflow/pull/3913
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/www_rbac/security.py b/airflow/www_rbac/security.py
index 55570debf6..bbb05cd2c5 100644
--- a/airflow/www_rbac/security.py
+++ b/airflow/www_rbac/security.py
@@ -83,6 +83,7 @@
'can_task_stats',
'can_code',
'can_log',
+ 'can_get_logs_with_metadata',
'can_tries',
'can_graph',
'can_tree',
diff --git a/tests/www_rbac/test_views.py b/tests/www_rbac/test_views.py
index f6a3501504..6453124465 100644
--- a/tests/www_rbac/test_views.py
+++ b/tests/www_rbac/test_views.py
@@ -874,6 +874,17 @@ def login(self, username=None, password=None):
role=role_admin,
password='test')
+ role_user = self.appbuilder.sm.find_role('User')
+ test_user = self.appbuilder.sm.find_user(username='test_user')
+ if not test_user:
+ self.appbuilder.sm.add_user(
+ username='test_user',
+ first_name='test_user',
+ last_name='test_user',
+ email='[email protected]',
+ role=role_user,
+ password='test_user')
+
dag_acl_role = self.appbuilder.sm.add_role('dag_acl_tester')
dag_tester = self.appbuilder.sm.find_user(username='dag_tester')
if not dag_tester:
@@ -1314,6 +1325,50 @@ def test_tree_success_for_read_only_role(self):
resp = self.client.get(url, follow_redirects=True)
self.check_content_in_response('runme_1', resp)
+ def test_log_success(self):
+ self.logout()
+ self.login()
+ url =
('log?task_id=runme_0&dag_id=example_bash_operator&execution_date={}'
+ .format(self.percent_encode(self.default_date)))
+ resp = self.client.get(url, follow_redirects=True)
+ self.check_content_in_response('Log by attempts', resp)
+ url =
('get_logs_with_metadata?task_id=runme_0&dag_id=example_bash_operator&'
+ 'execution_date={}&try_number=1&metadata=null'
+ .format(self.percent_encode(self.default_date)))
+ resp = self.client.get(url, follow_redirects=True)
+ self.check_content_in_response('"message":', resp)
+ self.check_content_in_response('"metadata":', resp)
+
+ def test_log_failure(self):
+ self.logout()
+ self.login(username='dag_faker',
+ password='dag_faker')
+ url =
('log?task_id=runme_0&dag_id=example_bash_operator&execution_date={}'
+ .format(self.percent_encode(self.default_date)))
+ resp = self.client.get(url, follow_redirects=True)
+ self.check_content_not_in_response('Log by attempts', resp)
+ url =
('get_logs_with_metadata?task_id=runme_0&dag_id=example_bash_operator&'
+ 'execution_date={}&try_number=1&metadata=null'
+ .format(self.percent_encode(self.default_date)))
+ resp = self.client.get(url, follow_redirects=True)
+ self.check_content_not_in_response('"message":', resp)
+ self.check_content_not_in_response('"metadata":', resp)
+
+ def test_log_success_for_user(self):
+ self.logout()
+ self.login(username='test_user',
+ password='test_user')
+ url =
('log?task_id=runme_0&dag_id=example_bash_operator&execution_date={}'
+ .format(self.percent_encode(self.default_date)))
+ resp = self.client.get(url, follow_redirects=True)
+ self.check_content_in_response('Log by attempts', resp)
+ url =
('get_logs_with_metadata?task_id=runme_0&dag_id=example_bash_operator&'
+ 'execution_date={}&try_number=1&metadata=null'
+ .format(self.percent_encode(self.default_date)))
+ resp = self.client.get(url, follow_redirects=True)
+ self.check_content_in_response('"message":', resp)
+ self.check_content_in_response('"metadata":', resp)
+
if __name__ == '__main__':
unittest.main()
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Only admin can view logs in RBAC UI
> -----------------------------------
>
> Key: AIRFLOW-3072
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3072
> Project: Apache Airflow
> Issue Type: Bug
> Components: ui
> Affects Versions: 1.10.0
> Reporter: Stefan Seelmann
> Assignee: Stefan Seelmann
> Priority: Major
>
> With RBAC enabled, only users with role admin can view logs.
> The default roles (excluding public) include permission {{can_log}} which
> allows to open the /log page, however the actual log message is loaded with
> another XHR request which required the additional permission
> {{get_logs_with_metadata}}.
> My suggestion is to add the permission and assign tog viewer role. Or is
> there a cause why only admin should be able to see logs?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
