airflow icon indicating copy to clipboard operation
airflow copied to clipboard

Published 20 hours ago verified publisher icon apache

Empty logs screen when user tries to view task logs with out having can read task log permission

Open sreenusuuda opened this issue 1 year ago • 1 comments

Apache Airflow version

2.8.1

If "Other Airflow 2 version" selected, which one?

No response

What happened?

No Access denied message when user tries to view task logs with out having tasklog.get permission

What you think should happen instead?

User should be shown with access denied message.

How to reproduce

  1. Create new user and assign user with can edit dags, can read dag runs, can edit dag runs permissions, can read task instances.
  2. Try to login with user and click on the specific Dag.
  3. Select task and click on logs.

Operating System

mac os

Versions of Apache Airflow Providers

No response

Deployment

Docker-Compose

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

  • [ ] Yes I am willing to submit a PR!

Code of Conduct

sreenusuuda avatar Feb 15 '24 15:02 sreenusuuda

I just double checked and can confirm the log button in UI is displayed irrespective of the user having access to logs. So if the user is lagging permissions the access is correctly blocked. Tested with both UI as well as API.

Do you report this mainly as UI glitch and have a use case to restrict you users for this purpose? Or is this an artifact of a PEN test and you report just small glitches/inconsistencies?

Otherwise, are you willing to raise a corrective PR to render buttons in UI conditionally?

jscheffl avatar Feb 20 '24 22:02 jscheffl

We typically receive an 'Access Denied' message when a user lacks the necessary permissions. Displaying this message helps users understand that they do not have the required permission.

sreenusuuda avatar Feb 23 '24 13:02 sreenusuuda

We typically receive an 'Access Denied' message when a user lacks the necessary permissions. Displaying this message helps users understand that they do not have the required permission.

In many cases this is bad security practise to reveal such condition to the user, it gives potential attacker more information that needed, so we deliberately opted for NOT FOUND in this case regardless whether the log file is there or whether you have badly configured system. This information is useless to the user, because the user cannot do anything about it, user has to report it to Deployment Manager (so person who manages airflow). And that person can (and SHOULD) look for details about the error in the log file of the webserver (and they will find it there all right).

So this is all deliberate, secure and as expected. No changes are planned here.

potiuk avatar Feb 23 '24 16:02 potiuk