DAG specific permissions cannot be split between 2 roles

[thetaiter]

Apache Airflow version

2.2.4

What happened

We would like to set up DAG specific permissions for users of our Airflow instance. We use LDAP for authentication, and have gotten AUTH_ROLES_MAPPING working correctly. Our issue lies on the Airflow FAB roles side.

I followed the instructions in this youtube video to set up DAG specific access:
https://www.youtube.com/watch?v=s6TygwvYdN0

In that video, I was instructed to make a copy of the User role, rename it, remove the can read on DAGs and can edit on DAGs permissions, and then add DAG specific permissions to read and edit the specific DAG I want to grant access to. After assigning this role to a user, this works just fine as expected.

Our desired use-case is slightly different. What I would like to do is split these permissions between 2 new roles instead of just one. So, I'd like to make a copy of the User role (let's call it BaseRole) and remove the can edit on DAGs and can delete on DAGs permissions. Then, I would like to make a new empty role (with no permissions) and then add only the DAG specific permissions can read on DAG:<dag-name> and can edit on DAG:<dag-name>. Finally, I'd like to add both of these roles to a user, and I expect the exact same results as in the previous paragraph. However, this does not work. The user is able to turn the DAG on and off, but is unable to view the DAG or perform any actions like running a task.

What you think should happen instead

We should be able to split permissions between 2 different roles rather than requiring a single role to have all appropriate permissions. Functionality with all desired permissions in one role should be identical to those same permissions split between 2 roles.

How to reproduce

1. Make a copy of the User role (let's call it BaseRole) and remove the can edit on DAGs and can delete on DAGs permissions.
2. Make a new empty role (with no permissions, let's call it TestRole) and then add only the DAG specific permissions for 1 DAG (can read on DAG:<dag-name> and can edit on DAG:<dag-name>).
3. Create a new user called TestUser with only the above 2 roles BaseRole and TestRole
4. Log into Airflow as the TestUser and try to access the <dag-name> DAG. You should see it in the interface as expected, and will be able to turn it on or off from the homepage, but if you try to click into it to see the tasks, it will fail with Access is denied.

Operating System

Running in Docker on Kubernetes

Versions of Apache Airflow Providers

None relevant to this issue

Deployment

Other 3rd-party Helm chart

Deployment details

We have written a customized Helm chart for our purposes with some extra resources like service accounts and things. We are extending the existing official Airflow Helm chart:

dependencies:
- name: airflow
  version: 1.5.0
  repository: https://airflow.apache.org/

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[thetaiter]

I should note that the reasoning behind our desire for this functionality is so that for new roles, all we have to do is set up the AUTH_ROLE_MAPPING for the new Role and then permissions can be managed directly in DAG code with access_control rather than requiring the manual step of copying a role for every new Role we want.

[potiuk]

This is unlikely to be handled before we get mutlitenancy implemented.