Hi Kaxil,
After double-checking, I believe the Viewer access/permission issue is not a bug actually. Seems it's because the DAG-level access control feature is cherry-picked into 1.10.2rc3. But my understanding is this feature is still under development? @feng-tao kindly advise. On the other hand, if we really plan to include DAG-level access control feature in 1.10.2, we should make sure the doc is consistent (for example, PR https://github.com/apache/airflow/pull/4426 should be included). XD On Mon, Jan 21, 2019 at 15:23 Naik Kaxil <k.n...@reply.com> wrote: > Hi XD, > > I could not replicate that in non-rbac UI but could replicate it on RBAC > one. > > Please check this screenshot https://imgur.com/a/TgiQItO for non-RBAC > (Flask-Admin UI) > > All the below issues don't seem to be a blocker for this release, however > I am open to views from all. > > (1) Errors not shown on RBAC UI > (2) Viewer role issue on RBAC UI > (3) K8s executor one is also just a matter of having short names for > dag_id & task_id. > > Regards, > Kaxil > > On 21/01/2019, 09:19, "Naik Kaxil" <k.n...@reply.com> wrote: > > Hi XD, > > I will test this and let you know. > > One more bug cropped up > https://issues.apache.org/jira/browse/AIRFLOW-3737 . @fokko or someone > with more K8s experience can have a look at it, please? > > Regards, > Kaxil > > On 21/01/2019, 09:05, "Deng Xiaodong" <xd.den...@gmail.com> wrote: > > Hi Kaxil, > > I found another potential bug which is applicable for both RBAC and > non-RBAC UI: > > Let’s say we’re trying to import a module which doesn’t exist at > all, or > have any syntax error in the DAG, the DAG will not be parsed. In > addition, > In earlier version, there will be a warning message appearing at > the header > part of the UI, describing what exact error there is. > > But this seems not working in 1.10.2rc3. I have tested with both > UI. > > Please help confirm if you can reproduce this issue. > > Thanks. > > XD > > On Mon, Jan 21, 2019 at 13:29 Kaxil Naik <kaxiln...@gmail.com> > wrote: > > > Hi Feng Tao, > > > > As mentioned in my previous email to XD, as this is not a > BLOCKER and the > > fix exist as mentioned by Seelman, can you change your *vote > back to +1 *. > > And we can fix that in the upcoming release with other fixes > which should > > be quick and aim to release that in a month as well? > > > > RBAC is still not the default UI in this release, we have got > all the > > features in, and using the fix @seelman mentioned, people can > already start > > using it without any BIG issues. > > > > Regards, > > Kaxil > > > > On Mon, Jan 21, 2019, 07:55 Tao Feng <fengta...@gmail.com wrote: > > > >> Thanks XD and Stefan. I see the issue now. I agree that this > should be a > >> bug which should be fixed. Please remove my +1 vote for > release if > >> possible. > >> > >> On Sun, Jan 20, 2019 at 11:12 PM Deng Xiaodong < > xd.den...@gmail.com> > >> wrote: > >> > >> > Hi Feng Tao, > >> > > >> > I tried again by deleting the DB and initdb again, the issue > is still > >> > there. > >> > > >> > Please note the issue is not “see all the roles”. The issue > is after > >> > logging in as a Viewer role, I can’t access the pages > including Tree > >> View, > >> > Graph View, Task Duration, Gantt, Code View, etc. > >> > > >> > > >> > XD > >> > > >> > On Mon, Jan 21, 2019 at 12:03 Tao Feng <fengta...@gmail.com> > wrote: > >> > > >> > > Hi Xiaodong, > >> > > > >> > > I just tried with a viewer role which can't reproduce your > issue. I > >> could > >> > > see all the roles without any issues. Have you reset your > db with this > >> > rc? > >> > > > >> > > On Sun, Jan 20, 2019 at 9:50 PM Deng Xiaodong < > xd.den...@gmail.com> > >> > wrote: > >> > > > >> > > > Hi Kaxil, > >> > > > > >> > > > A potential bug found in 1.10.2rc3. > >> > > > > >> > > > > >> > > > # Potential Bug: > >> > > > > >> > > > Viewer Role can't access pages to which it has permissions > >> > > > > >> > > > # How to Reproduce: > >> > > > > >> > > > - Under RBAC UI, create a user with "Viewer" role. Then > use this > >> > > > account to log in. > >> > > > - You will be able to access the main page. However, you > will not be > >> > > > able to access any page of a specific DAG, including > Tree, Graph > >> View, > >> > > > Gantt, Code View, Landing Time, etc. Literally all the > pages of a > >> > > > specific DAG. However, in the Role specs, View role has > permissions > >> to > >> > > > all these pages. > >> > > > > >> > > > - After clicking, users are redirected to the main page > directly, > >> > > > without any explicit warning/error message like "Access > Denied". > >> > > > > >> > > > # Remarks: > >> > > > > >> > > > - I have compared the default permissions which are > granted to > >> Viewer > >> > > > role between 1.10.0 and 1.10.2rc3. They are all the same. > >> > > > - In 1.10.0, Viewer role can access all these pages > without any > >> issue. > >> > > > - Seems this issue only exists for Viewer role. > >> > > > > >> > > > > >> > > > Please let me know if you can reproduce this issue. > >> > > > > >> > > > Please consider this as my -1 (non-binding) as well. > >> > > > > >> > > > Thanks! > >> > > > > >> > > > > >> > > > XD > >> > > > > >> > > > > >> > > > On Sat, Jan 19, 2019 at 22:06 Kaxil Naik < > kaxiln...@gmail.com> > >> wrote: > >> > > > > >> > > > > Hey all, > >> > > > > > >> > > > > I have cut Airflow 1.10.2 RC3. This email is calling a > vote on the > >> > > > release, > >> > > > > which will last for 72 hours. Consider this my > (binding) +1. > >> > > > > > >> > > > > Airflow 1.10.2 RC3 is available at: > >> > > > > > https://dist.apache.org/repos/dist/dev/airflow/1.10.2rc3/ > >> > > > > > >> > > > > *apache-airflow-1.10.2rc3-source.tar.gz* is a source > release that > >> > comes > >> > > > > with INSTALL instructions. > >> > > > > *apache-airflow-1.10.2rc3-bin.tar.gz* is the binary > Python "sdist" > >> > > > release. > >> > > > > > >> > > > > Public keys are available at: > >> > > > > https://dist.apache.org/repos/dist/release/airflow/KEYS > >> > > > > > >> > > > > Only votes from PMC members are binding, but members of > the > >> community > >> > > are > >> > > > > encouraged to test the release and vote with > "(non-binding)". > >> > > > > > >> > > > > Please note that the version number excludes the `rcX` > string, so > >> > it's > >> > > > now > >> > > > > simply 1.10.2. This will allow us to rename the > artifact without > >> > > > modifying > >> > > > > the artifact checksums when we actually release. > >> > > > > > >> > > > > Changes since 1.10.2rc2: > >> > > > > *Bugs*: > >> > > > > [AIRFLOW-3732] Fix issue when trying to edit connection > in RBAC UI > >> > > > > [AIRFLOW-2866] Fix missing CSRF token head when using > RBAC UI > >> (#3804) > >> > > > > [AIRFLOW-3259] Fix internal server error when > displaying charts > >> > (#4114) > >> > > > > [AIRFLOW-3271] Fix issue with persistence of RBAC > Permissions > >> > modified > >> > > > via > >> > > > > UI (#4118) > >> > > > > [AIRFLOW-3141] Handle duration View for missing dag > (#3984) > >> > > > > [AIRFLOW-2766] Respect shared datetime across tabs > >> > > > > [AIRFLOW-1413] Fix FTPSensor failing on error message > with > >> unexpected > >> > > > > (#2450) > >> > > > > [AIRFLOW-3378] KubernetesPodOperator does not delete on > timeout > >> > failure > >> > > > > (#4218) > >> > > > > [AIRFLOW-3245] Fix list processing in > resolve_template_files > >> (#4086) > >> > > > > [AIRFLOW-2703] Catch transient DB exceptions from > scheduler's > >> > heartbeat > >> > > > it > >> > > > > does not crash (#3650) > >> > > > > [AIRFLOW-1298] Clear UPSTREAM_FAILED using the clean > cli (#3886) > >> > > > > > >> > > > > *Improvements*: > >> > > > > [AIRFLOW-3302] Small CSS fixes (#4140) > >> > > > > [Airflow-2766] Respect shared datetime across tabs > >> > > > > [AIRFLOW-2776] Compress tree view JSON > >> > > > > [AIRFLOW-2407] Use feature detection for reload() > (#3298) > >> > > > > [AIRFLOW-3452] Removed an unused/dangerous display-none > (#4295) > >> > > > > [AIRFLOW-3348] Update run statistics on dag refresh > (#4197) > >> > > > > [AIRFLOW-3125] Monitor Task Instances creation rates > (#3966) > >> > > > > > >> > > > > > >> > > > > *New features*: > >> > > > > [AIRFLOW-2874] Enables FAB's theme support (#3719) > >> > > > > [AIRFLOW-3336] Add new TriggerRule for 0 upstream > failures (#4182) > >> > > > > > >> > > > > *Doc-only Change*: > >> > > > > [AIRFLOW-XXX] Fix BashOperator Docstring (#4052) > >> > > > > [AIRFLOW-3018] Fix Minor issues in Documentation > >> > > > > [AIRFLOW-XXX] Fix Minor issues with Azure Cosmos > Operator (#4289) > >> > > > > [AIRFLOW-3382] Fix incorrect docstring in DatastoreHook > (#4222) > >> > > > > [AIRFLOW-XXX] Fix copy&paste mistake (#4212) > >> > > > > [AIRFLOW-3260] Correct misleading BigQuery error (#4098) > >> > > > > [AIRFLOW-XXX] Fix Typo in SFTPOperator docstring (#4016) > >> > > > > [AIRFLOW-XXX] Fixing the issue in Documentation (#3998) > >> > > > > [AIRFLOW-XXX] Fix undocumented params in S3_hook > >> > > > > [AIRFLOW-XXX] Fix SlackWebhookOperator execute method > comment > >> (#3963) > >> > > > > [AIRFLOW-3070] Refine web UI authentication-related > docs (#3863) > >> > > > > > >> > > > > Regards, > >> > > > > *Kaxil Naik* > >> > > > > > >> > > > > >> > > > >> > > >> > > > > > > > Kaxil Naik > > Data Reply > Nova South > 160 Victoria Street, Westminster > London SW1E 5LB - UK > phone: +44 (0)20 7730 6000 > k.n...@reply.com > www.reply.com > > > > > Kaxil Naik > > Data Reply > Nova South > 160 Victoria Street, Westminster > London SW1E 5LB - UK > phone: +44 (0)20 7730 6000 > k.n...@reply.com > www.reply.com >
