airflow
airflow copied to clipboard
apache
DAG specific permissions cannot be split between 2 roles
Apache Airflow version
2.2.4
What happened
We would like to set up DAG specific permissions for users of our Airflow instance. We use LDAP for authentication, and have gotten AUTH_ROLES_MAPPING working correctly. Our issue lies on the Airflow FAB roles side.
I followed the instructions in this youtube video to set up DAG specific access: https://www.youtube.com/watch?v=s6TygwvYdN0
In that video, I was instructed to make a copy of the User role, rename it, remove the can read on DAGs and can edit on DAGs permissions, and then add DAG specific permissions to read and edit the specific DAG I want to grant access to. After assigning this role to a user, this works just fine as expected.
Our desired use-case is slightly different. What I would like to do is split these permissions between 2 new roles instead of just one. So, I'd like to make a copy of the User role (let's call it BaseRole) and remove the can edit on DAGs and can delete on DAGs permissions. Then, I would like to make a new empty role (with no permissions) and then add only the DAG specific permissions can read on DAG:<dag-name> and can edit on DAG:<dag-name>. Finally, I'd like to add both of these roles to a user, and I expect the exact same results as in the previous paragraph. However, this does not work. The user is able to turn the DAG on and off, but is unable to view the DAG or perform any actions like running a task.
What you think should happen instead
We should be able to split permissions between 2 different roles rather than requiring a single role to have all appropriate permissions. Functionality with all desired permissions in one role should be identical to those same permissions split between 2 roles.
How to reproduce
- Make a copy of the
Userrole (let's call itBaseRole) and remove thecan edit on DAGsandcan delete on DAGspermissions. - Make a new empty role (with no permissions, let's call it
TestRole) and then add only the DAG specific permissions for 1 DAG (can read on DAG:<dag-name>andcan edit on DAG:<dag-name>). - Create a new user called
TestUserwith only the above 2 rolesBaseRoleandTestRole - Log into Airflow as the
TestUserand try to access the<dag-name>DAG. You should see it in the interface as expected, and will be able to turn it on or off from the homepage, but if you try to click into it to see the tasks, it will fail withAccess is denied.
Operating System
Running in Docker on Kubernetes
Versions of Apache Airflow Providers
None relevant to this issue
Deployment
Other 3rd-party Helm chart
Deployment details
We have written a customized Helm chart for our purposes with some extra resources like service accounts and things. We are extending the existing official Airflow Helm chart:
dependencies:
- name: airflow
version: 1.5.0
repository: https://airflow.apache.org/
Anything else
No response
Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Thanks for opening your first issue here! Be sure to follow the issue template!
![boring-cyborg[bot] avatar](https://avatars.githubusercontent.com/in/50386?v=4 "Published by a pub.dev verified publisher"){kind=small}
I should note that the reasoning behind our desire for this functionality is so that for new roles, all we have to do is set up the AUTH_ROLE_MAPPING for the new Role and then permissions can be managed directly in DAG code with access_control rather than requiring the manual step of copying a role for every new Role we want.
