[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16998116#comment-16998116
]
Ash Berlin-Taylor commented on AIRFLOW-4888:
Never really got any further with this --
https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 is the skeleton
of what could become a migration framework to add this sort of migration in to
alembic. I think I got stalled working out how to best to the models -- should
we define classes link in the gist, or import the FAB models directly?
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16997781#comment-16997781
]
Kaxil Naik commented on AIRFLOW-4888:
-
Any thoughts, updates or progress on this [~ash] [~TaoFeng] [~xddeng]?
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878006#comment-16878006
]
Ash Berlin-Taylor commented on AIRFLOW-4888:
[~XD-DENG] Admin users are able top edit the permissions, but needing anyone
who wants to use Op/User roles adding some permissions seems wrong - it's a
"missing" permission in the default install so I feel we should fix it for
everyone.
(Plus we don't allow _any_ users to be admins in our cluster. We're strange
like that)
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877986#comment-16877986
]
Ash Berlin-Taylor commented on AIRFLOW-4888:
Yeah, I'm thinking about the upgrade path from ~1.10.0 to 1.10.4 and 2.0.0
onwards.
I haven't worked out the exact details of what the migration would do (I think
maybe just invoke FAB SecurityManager code directly. Not sure, but I think that
is less fragile than creating migrations for the FAB security models as they
aren't "ours"
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877984#comment-16877984
]
Tao Feng commented on AIRFLOW-4888:
---
[~ash] I vaguely remembered the issue was due to the fact that I changed the
permission for the default roles?I assume if we are going to make a migration
script, it is mostly for migration from old 1.10 setup to 1.10.2/1.10.3?
The only concern is that RBAC model has many different tables. I am not sure
how easily to cover it in a migration script. And should we move the model
files inside airflow as well? If you feel it is not complicated, I am +1 for
the migration script.
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877956#comment-16877956
]
Xiaodong DENG commented on AIRFLOW-4888:
[~ash] not sure if I get your point completely. But
https://issues.apache.org/jira/browse/AIRFLOW-3271 is fixed by
[https://github.com/apache/airflow/pull/4118] and released in 1.10.2 (and RBAC
is only generally available from 1.10.0 if I'm not wrong), meaning from 1.10.2,
users are able to edit permissions in UI and the changes would persist. Why
should we provide separate migration tool? Or is there more specific scenario?
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[
https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877525#comment-16877525
]
Ash Berlin-Taylor commented on AIRFLOW-4888:
[~TaoFeng] [~XD-DENG] We were discussing this a few months ago. Do you have
thoughts on how best to handle it? I can make the permissions migrations work
if we think it's the way to go.
> Add migration system for adding RBAC permissions to existing roles
> --
>
> Key: AIRFLOW-4888
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4888
> Project: Apache Airflow
> Issue Type: Bug
> Components: core
>Affects Versions: 2.0.0
>Reporter: Ash Berlin-Taylor
>Priority: Major
> Labels: permissions
>
> In our clusters we don't allow any users to be Admin, so we use the Op, User
> and Viewer roles. It turns out that these roles are missing the
> {{can_dagrun_success}} and {{can_dagrun_failure}} permissions.
> Fixing this for new installs is easy, but due to AIRFLOW-3271
> (https://github.com/apache/airflow/pull/4118) we won't alter the roles if
> they already exist, so having some mechanism for adding permissions to roles
> via migrations might be useful.
> As a palyground I started working on
> https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure
> if this is too complex or not. (It's also not a complete solution yet)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
