airflow icon indicating copy to clipboard operation
airflow copied to clipboard
verified publisher icon apache

Failed to manage per-DAG permission in clearing DAG run

Open twang90 opened this issue 3 years ago • 5 comments

Apache Airflow version

Other Airflow 2 version

What happened

I am using Airflow 2.2.4 and I am trying to achieve per-DAG permissions. I want to give a role permissions to clear some DAG's status on the UI (so that they can re-run a task). According to https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-role, "Clear DAG run" requires "DAGs.can_edit, Task Instances.can_delete", but when I gave the role permissions to can edit on DAG:xxx, can delete on Task Instances, it can clear DAG runs on all DAGs. I am wondering if it's a bug, or if there is some other ways to achieve this. Thanks!

What you think should happen instead

When I gave the role permissions to can edit on DAG:xxx, can delete on Task Instances, the role can clear the task status on DAG xxx, but it can't clear status on any other DAGs.

How to reproduce

On an existing Airflow service,

  1. Use an account with Admin role, create a new role, e.g. TestClearRole
  2. Pick a DAG, e.g. DagToTest; assume it has other DAGs, e.g. DagWithoutPermission.
  3. Add TestClearRole with permissions, can edit on DAG:DagToTest, can delete on Task Instances
  4. Using an account with TestClearRole role, clear the status of one task in DagWithoutPermission. The user should have permissions to clear its status. But I think the right behavior should be the user can not.

Operating System

Airflow UI

Versions of Apache Airflow Providers

No response

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else

No response

Are you willing to submit PR?

  • [X] Yes I am willing to submit a PR!

Code of Conduct

twang90 avatar Aug 05 '22 21:08 twang90

Thanks for opening your first issue here! Be sure to follow the issue template!

boring-cyborg[bot] avatar Aug 05 '22 21:08 boring-cyborg[bot]

Feel free to take a look and see you can provide a PR

potiuk avatar Aug 06 '22 11:08 potiuk

#16634 seemed to have fixed this problem but I observed a different behavior. I am not sure if I understand the documentation correctly. I am not very familiar with the Airflow code, so not sure if I can fix it or not.

twang90 avatar Aug 08 '22 17:08 twang90

Are you sure that the user you are mentioning in your example only has TestClearRole? It's relatively easy to get lost in this but if your user has multiple roles, it's probably the other roles that give him access to clear it.

For reference: we are on 2.2.3 and it works like a charm. We are managing around 200 users without any issuee

Jorricks avatar Aug 09 '22 05:08 Jorricks

Thanks for the reply. The user has TestClearRole and Viewer role, so I think Viewer should not give them access to clear other DAGs. Not sure what's going on...

twang90 avatar Aug 09 '22 16:08 twang90