Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
DAG-Level Access Control - Ability to set more permissions
See original GitHub issueDescription
Currently there are only two permissions that can be set on a DAG level:
dag_config.access_control: SomeAirflowRole: ['can_read', 'can_edit']
We would like to have an option to set additional permissions in this access_control parameter, so SomeAirflowRole can have full user access only to the specific DAG (delete it, run/clear/manage DAGRuns + TaskInstances, etc.).
Use case / motivation
We’ve tried to create a custom role for a team, so they can manage ONLY their DAGs (in full user control), but at the same time this team needs to have also a Viewer role so they can see all the DAGs in the environment.
What we’ve observed is, that Airflow currently doesn’t provide an option to set permissions for a specific DAG that will achieve our desired goal.
We’ve observed two different sides of this problem:
- Permission can_edit is not sufficient for full user control access - Task Instances, DAG Run and DAG deletion permissions cannot be set on a specific DAG level.
- If we set these permissions on a global level, full user control actions are no longer limited for a specific DAG, so this whole security feature will become pointless.
Example:
User from a specific team needs to have a full user access to a specific DAGs, but at the same time needs to be able to view all the other DAGs. The only way to achieve this is to give user can_read permission on all DAGs (so that he can see all of the DAGs), can_edit permission on HIS DAGs, and to give him permissions to create/edit/delete both Task Instances and DAG Runs (these can only be set on global level). This way, user will see all DAGs, but should only be able to work with DAGs that are his own.
However, some actions within Airflow only require dag.can_read permission in combination with permissions on DAG Runs / Task Instances - for example, to Clear a DAG Run, required permissions are only DAGs.can_read, TaskInstances.can_delete.
As such, user will be able to perform this action on any DAG that he can see - which means he will be able to perform this action (and other similar actions) on ALL DAGs.
Related Issues
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hey @juroVee,
Happy to hear that! Lets hope it gets merged 😃
I like your suggestion for the can_delete option. I will have a look at that and see how I can add some granularity there.
Edit: I think you can already customise who is able to delete DAGs 😃
@uranusjr yes you are right, we didn’t notice that, sorry. Can we maybe link these issues somehow and close this one? Thanks.