airflow icon indicating copy to clipboard operation
airflow copied to clipboard

Published 20 hours ago verified publisher icon apache

Message we show when user lacks website permission but have other permissions is wrong.

Open sreenusuuda opened this issue 1 year ago • 1 comments

Apache Airflow version

2.8.1

If "Other Airflow 2 version" selected, which one?

No response

What happened?

We are displaying "Your user has no roles and/ or permissions!" when user lacks with website permission but having other permissions.

What you think should happen instead?

We should show proper message saying user lacks website permission.

How to reproduce

  1. Remove can read website permission from the list of permissions.
  2. Try to login to Airflow website.

Operating System

mac os

Versions of Apache Airflow Providers

No response

Deployment

Docker-Compose

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

  • [ ] Yes I am willing to submit a PR!

Code of Conduct

sreenusuuda avatar Feb 15 '24 16:02 sreenusuuda

To use the Web UI in general some basic permissions are needed. On top of basic permissions most actions/verbs have specific permissions being assigned e.g. to view DAGs, change state or even have admin privileges.

Yes and w/o the basic access permissions UI is probably not usable, but if other functions are permitted then API might be used.

Is this a real functional problem for you or are you missing documentation about all permission settings available in UI? I'd rather call this a feature not a bug.

jscheffl avatar Feb 20 '24 22:02 jscheffl

The current message states, 'Your user has no roles and/or permissions!', implying that the user doesn't have any role or permission assigned, even though they may have other permissions except for the website. Instead, displaying a message like 'User lacks website permission' would provide clearer information.

sreenusuuda avatar Feb 23 '24 13:02 sreenusuuda

Similarly as in case of the other issue. Revealing more security information to someone who tries to get access to resources and does not have them is considered a bad security practice and we deliberately reveal absolute minimum. Deployment Manager has the possibility and can in this case look at the logs and find out details there.

This is all deliberate, secure and there are no plans to change it.,

potiuk avatar Feb 23 '24 16:02 potiuk