apache
DAG-level permissions for `/dags/{dag_id}/clearTaskInstances` is incorrect
What do you see as an issue?
The documentation on DAG level permissions states that the permissions DAGs.can_edit, DAG Runs.can_read, Task Instances.can_edit are required for the endpoint /dags/{dag_id}/clearTaskInstances.
Solving the problem
The permissions for the endpoint /dags/{dag_id}/clearTaskInstances are DAGs.can_edit, DAG Runs.can_edit, Task Instances.can_edit. The method is also "PUT" not "POST".
In Airflow 2.8.0, the clear endpoint updated (see PR) to use the requires_access_dag function which leverages is_authorized_dag. More importantly, the SAME resource method is used to check against each resource entity. The clear method passes the "PUT" resource method which translates to "ACTION_CAN_EDIT".
The logic translates to requiring the following permissions. (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG) (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG_RUN) (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE)
Anything else
I did not check the other DAG level permissions. I recommend verifying each entry.
Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
