airflow icon indicating copy to clipboard operation
airflow copied to clipboard

Published 20 hours ago verified publisher icon apache

Make pause DAG its own role separate from edit DAG

Open brettplarson opened this issue 3 years ago • 14 comments

Description

As an Airflow administrator I would like to be be able to configure a user account with permissions be able to "clear" and re-run a DAG run but also not be able to pause a DAG.

Currently this doesn't appear to be possible as Toggle DAG paused status and Clear DAG Run both come from the same DAGs.can_edit permission set.

Use case/motivation

A failure such as an unexpected reboot may require a non-privileged user to restart a run - without needing a huge amount of permissions.

It is really easy to click and pause a DAG when viewing / browsing in the UI.

Either cancelling an existing dag run or preventing further runs from proceeding can be an issue.

This happened a few times and has caused issues as the DAG was paused preventing important ETLs from running at their scheduled times.

Related issues

No response

Are you willing to submit a PR?

  • [ ] Yes I am willing to submit a PR!

Code of Conduct

brettplarson avatar Mar 16 '22 17:03 brettplarson

Thanks for opening your first issue here! Be sure to follow the issue template!

boring-cyborg[bot] avatar Mar 16 '22 18:03 boring-cyborg[bot]

Marked is a good-first-issue. Maybe someone would like to take it on. But if you feel like that @brettplarson the surest way to get it implemented is for you to contribute it :). You could join some 2000 contrinbutors to Airlfow.

potiuk avatar Mar 19 '22 13:03 potiuk

@potiuk I would like to work on this as my first contribution. I would appreciate any mentorship through the process. I'm going to work this weekend to get every cloned and start investigating. Thanks!

danielbeach avatar Mar 25 '22 19:03 danielbeach

Sure :). Go ahead and ask questions. Ideally - in #airflow-how-to-pr channel in our slack so that it does not rely on me being present. There are plenty of contributors who can help. It does not have to be me

potiuk avatar Mar 25 '22 20:03 potiuk

@danielbeach are you still working on this issue?

eladkal avatar May 25 '22 05:05 eladkal

@eladkal nope.

danielbeach avatar May 26 '22 14:05 danielbeach

@eladkal @potiuk is this issue still relevant? I would like to contribute

mrmammadov avatar Oct 01 '22 16:10 mrmammadov

Feel free.

potiuk avatar Oct 01 '22 16:10 potiuk

@mmenarguezpear are you still working on this issue?

eladkal avatar Feb 26 '23 09:02 eladkal

Hi,

I'm patching the permission, modify the security manager, views and templates and it seems good so far. If this issue is not progressing, I'd like to continue working on tests and make a PR. Thanks

herlambang avatar Apr 08 '23 12:04 herlambang

@herlambang assigning to you

eladkal avatar Apr 08 '23 12:04 eladkal

Hi folks, we are looking forward to this feature in our org. Wondering if the pr still active? I see it was closed automatically.

DuanWeiFan avatar Dec 26 '23 18:12 DuanWeiFan

You can take it over if you care for it and lead it to completion if you do not hear back.

potiuk avatar Dec 26 '23 18:12 potiuk

Thanks @potiuk Yes I would like to contribute here. Would create another pr once I have things tested and ready.

DuanWeiFan avatar Jan 03 '24 00:01 DuanWeiFan

Is anyone working on this? I believe we should reschedule this to 3.1+ otherwise

bugraoz93 avatar Mar 16 '25 14:03 bugraoz93

I think this can be in 3.1+ . I'll pick this up.

rawwar avatar Mar 16 '25 15:03 rawwar

Seems exciting! I can work on this if that’s okay.

AryanK1511 avatar Jun 26 '25 19:06 AryanK1511

I had three questions:

  • You don't need this in the SimpleAuthManager right? Only FAB and AWS?
  • What would you like to call this new role that can edit but not pause?

@rawwar

AryanK1511 avatar Jul 01 '25 00:07 AryanK1511

You don't need this in the SimpleAuthManager right? Only FAB and AWS?

@pierrejeambrun , currently, "pause/unpause" invokes patch dag endpoint with update_mask having "is_paused" set to True or False. Do you think, we should have a separate dependency check(something like, "can_pause_dag" or, do you think, this needs to be an addition DagAccessEntity(I don't think this is the way.)?

rawwar avatar Jul 01 '25 12:07 rawwar

I'm unsure there. I understand the use case but pausing a dag really is patching / updating a Dag, if we start spinning up multiple permissions depending on the attributes, why not but I think we need to think this throuh beforehand and what it implies for our permission system.

pierrejeambrun avatar Jul 01 '25 12:07 pierrejeambrun

Just checked and it really looks like our permissions checks are only based on both method and entities, so I'm not we can implement this in the current form. (and as you mentioned adding a PausedDag access entity doesn't sound right)

pierrejeambrun avatar Jul 01 '25 12:07 pierrejeambrun

I think, one way to do this, is to support specific "Deny" rules. But, this is not going to be user friendly at scale. Given, blocking access per entity per user is going to make it a nightmare

rawwar avatar Jul 01 '25 12:07 rawwar

Oh but we have action_permissions too. (can_edit, can_delete, etc), method just map to action, so yes we could easily add a can_pause action. (That's for the Fab manager, at least)

pierrejeambrun avatar Jul 01 '25 12:07 pierrejeambrun

Also just to mention that the current patch dag endpoint only accept updatating the "is_paused" attribute. So basically there is nothing to dissociate for now. (patch_dag is basically just a pause dag for now)

pierrejeambrun avatar Jul 01 '25 12:07 pierrejeambrun

Tbh I would be for closing this. At the moment it's not relevant because we cannot edit anything else in the DAG but the "paused" attribute. I would re-open if we are to add more updatable attribute to the endpoint. (Which is not planned at the moment).

WDYT ?

pierrejeambrun avatar Jul 01 '25 13:07 pierrejeambrun

Yeah. I agree with that.

rawwar avatar Jul 01 '25 13:07 rawwar