[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16998116#comment-16998116 ] Ash Berlin-Taylor commented on AIRFLOW-4888: Never really got any further with this -- https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 is the skeleton of what could become a migration framework to add this sort of migration in to alembic. I think I got stalled working out how to best to the models -- should we define classes link in the gist, or import the FAB models directly? > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16997781#comment-16997781 ] Kaxil Naik commented on AIRFLOW-4888: - Any thoughts, updates or progress on this [~ash] [~TaoFeng] [~xddeng]? > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878006#comment-16878006 ] Ash Berlin-Taylor commented on AIRFLOW-4888: [~XD-DENG] Admin users are able top edit the permissions, but needing anyone who wants to use Op/User roles adding some permissions seems wrong - it's a "missing" permission in the default install so I feel we should fix it for everyone. (Plus we don't allow _any_ users to be admins in our cluster. We're strange like that) > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877986#comment-16877986 ] Ash Berlin-Taylor commented on AIRFLOW-4888: Yeah, I'm thinking about the upgrade path from ~1.10.0 to 1.10.4 and 2.0.0 onwards. I haven't worked out the exact details of what the migration would do (I think maybe just invoke FAB SecurityManager code directly. Not sure, but I think that is less fragile than creating migrations for the FAB security models as they aren't "ours" > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877984#comment-16877984 ] Tao Feng commented on AIRFLOW-4888: --- [~ash] I vaguely remembered the issue was due to the fact that I changed the permission for the default roles?I assume if we are going to make a migration script, it is mostly for migration from old 1.10 setup to 1.10.2/1.10.3? The only concern is that RBAC model has many different tables. I am not sure how easily to cover it in a migration script. And should we move the model files inside airflow as well? If you feel it is not complicated, I am +1 for the migration script. > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877956#comment-16877956 ] Xiaodong DENG commented on AIRFLOW-4888: [~ash] not sure if I get your point completely. But https://issues.apache.org/jira/browse/AIRFLOW-3271 is fixed by [https://github.com/apache/airflow/pull/4118] and released in 1.10.2 (and RBAC is only generally available from 1.10.0 if I'm not wrong), meaning from 1.10.2, users are able to edit permissions in UI and the changes would persist. Why should we provide separate migration tool? Or is there more specific scenario? > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-4888) Add migration system for adding RBAC permissions to existing roles
[ https://issues.apache.org/jira/browse/AIRFLOW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877525#comment-16877525 ] Ash Berlin-Taylor commented on AIRFLOW-4888: [~TaoFeng] [~XD-DENG] We were discussing this a few months ago. Do you have thoughts on how best to handle it? I can make the permissions migrations work if we think it's the way to go. > Add migration system for adding RBAC permissions to existing roles > -- > > Key: AIRFLOW-4888 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4888 > Project: Apache Airflow > Issue Type: Bug > Components: core >Affects Versions: 2.0.0 >Reporter: Ash Berlin-Taylor >Priority: Major > Labels: permissions > > In our clusters we don't allow any users to be Admin, so we use the Op, User > and Viewer roles. It turns out that these roles are missing the > {{can_dagrun_success}} and {{can_dagrun_failure}} permissions. > Fixing this for new installs is easy, but due to AIRFLOW-3271 > (https://github.com/apache/airflow/pull/4118) we won't alter the roles if > they already exist, so having some mechanism for adding permissions to roles > via migrations might be useful. > As a palyground I started working on > https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 - I'm not sure > if this is too complex or not. (It's also not a complete solution yet) -- This message was sent by Atlassian JIRA (v7.6.3#76005)