Skip to content

Commit

Permalink
Update permission docs (#36120)
Browse files Browse the repository at this point in the history 
Add admin permission too on the page and fix some typo
  • Loading branch information
@pankajastro
pankajastro committed Dec 17, 2023
1 parent c884f3c commit f7f7183
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 11 deletions.
2 changes: 2 additions & 0 deletions airflow/providers/fab/auth_manager/security_manager/override.py
View file
Expand Up @@ -278,6 +278,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
]
# [END security_op_perms]

# [START security_admin_perms]
ADMIN_PERMISSIONS = [
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_RESCHEDULE),
Expand All @@ -288,6 +289,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
(permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
]
# [END security_admin_perms]

###########################################################################
# DEFAULT ROLE CONFIGURATIONS
Expand Down
35 changes: 24 additions & 11 deletions docs/apache-airflow/security/access-control.rst
View file
Expand Up @@ -38,11 +38,6 @@ By default, only ``Admin`` users can configure/alter permissions for roles. Howe
it is recommended that these default roles remain unaltered, and instead ``Admin`` users
create new roles with the desired permissions if changes are necessary.

Admin
^^^^^
``Admin`` users have all possible permissions, including granting or revoking permissions from
other users.

Public
^^^^^^
``Public`` users (anonymous) don't have any permissions.
Expand Down Expand Up @@ -74,6 +69,16 @@ Op
:start-after: [START security_op_perms]
:end-before: [END security_op_perms]

Admin
^^^^^
``Admin`` users have all possible permissions, including granting or revoking permissions from
other users. ``Admin`` users have ``Op`` permission plus additional permissions:

.. exampleinclude:: /../../airflow/providers/fab/auth_manager/security_manager/override.py
:language: python
:start-after: [START security_admin_perms]
:end-before: [END security_admin_perms]

Custom Roles
'''''''''''''

Expand Down Expand Up @@ -152,12 +157,12 @@ Endpoint
/importErrors/{import_error_id} GET ImportError.can_read Viewer
/health GET None Public
/version GET None Public
/pools GET Pool.can_read Op
/pools POST Pool.can_create Op
/pools/{pool_name} DELETE Pool.can_delete Op
/pools/{pool_name} GET Pool.can_read Op
/pools/{pool_name} PATCH Pool.can_edit Op
/providers GET Provider.can_read Op
/pools GET Pools.can_read Op
/pools POST Pools.can_create Op
/pools/{pool_name} DELETE Pools.can_delete Op
/pools/{pool_name} GET Pools.can_read Op
/pools/{pool_name} PATCH Pools.can_edit Op
/providers GET Providers.can_read Op
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read Viewer
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id} GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read Viewer
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/links GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read Viewer
Expand All @@ -173,7 +178,15 @@ Endpoint
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries/{xcom_key} GET DAGs.can_read, DAG Runs.can_read, Viewer
Task Instances.can_read, XComs.can_read
/users GET Users.can_read Admin
/users POST Users.can_create Admin
/users/{username} GET Users.can_read Admin
/users/{username} PATCH Users.can_edit Admin
/users/{username} DELETE Users.can_delete Admin
/roles GET Roles.can_read Admin
/roles POST Roles.can_create Admin
/roles/{role_name} GET Roles.can_read Admin
/roles/{role_name} PATCH Roles.can_edit Admin
/roles/{role_name} DELETE Roles.can_delete Admin
================================================================================== ====== ================================================================= ============


Expand Down

0 comments on commit f7f7183

Please sign in to comment.