airflow
airflow copied to clipboard
apache
Received 403 error when user having DAGs.can_edit, Task Instances.can_edit tries to mark taskInstance state as failed/success.
Apache Airflow version
2.8.1
If "Other Airflow 2 version" selected, which one?
No response
What happened?
- Received 403 error when user having DAGs.can_edit, Task Instances.can_edit tries to mark taskInstance state as failed/success.
What you think should happen instead?
Able to mark taskInstance state as failed/success if user has dagRuns.update permission too. Is it documentation issue?
How to reproduce
- Give user DAGs.can_edit, Task Instances.can_edit permissions.
- Login with that user and try to mark task instance state as failed/success.
Operating System
mac os
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
From previous reports I assume this bug report is from tests against API? Or user interface?
Was the DAGrun you updated already finished? or still running? Because when changing a task state, also the DAG state implicitly is adjusted. Therefore the DAG update permissions are needed. Objects DagRun and TaskInstance and API operations are individually protected via access control rules.
Do you have a "real issue" with this behavior or are you just PEN-testing API and want to have the documentation clear?
Please take a look at the logs (as Deployment Manager) and see what the detailed permission error says and report it here. For me it's not clear what documentaiton you are referring to, and what exactly is wrong, but I am sure we will all get more clarity when you provide some details from the logs and information explained there.
It might be a bug in this case but it's not clear what permission is the problem - the log might be more verbose about it. Would also be great if you explain what are your high level expectations are. The model of ours is pretty fine grained and if you want to go into details and give detailed permissions it is expected from you that you understand in detail how airflow data model works (https://airflow.apache.org/docs/apache-airflow/stable/database-erd-ref.html) and what fine-grained permissions you should give. We are not providing more detailed documentation on that, it's up to you to deep dive if you chose to use such fine-grained permissions. I think in this case your user miss dagrun permission, but I am guessing - the logs should provide more information (and you should be able to figure it out from the model).
Also as explained in other issues of yours - your expectations tha user who does not have permission will see more information is misguided. In case of security and permission issues it's deliberate that as little information as possible is revealed and only Deployment Manager should be able to get more information by looking at the logs., Again - this is deliberate, designed like that and we are not going to change it. In this case security trumps convenience - you might have different expectations here, but we choose security over convenience.
Converting it to a discussion for now, as we need input from @sreenusuuda - we can always convert it to an issue back if we find there is an issue.
BTW. Just in case, since you are doing a lot around security and permissions @sreenusuuda - if you think that there is an issue that might be a security issue, you should NOT report it here in public issues nor discussions. In case you suspect potential security issue, you should follow our security policy https://github.com/apache/airflow/security/policy to responsibly disclose such issues.
Just want to make sure that this is clear.