You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to set up DAG specific permissions for users of our Airflow instance. We use LDAP for authentication, and have gotten AUTH_ROLES_MAPPING working correctly. Our issue lies on the Airflow FAB roles side.
In that video, I was instructed to make a copy of the User role, rename it, remove the can read on DAGs and can edit on DAGs permissions, and then add DAG specific permissions to read and edit the specific DAG I want to grant access to. After assigning this role to a user, this works just fine as expected.
Our desired use-case is slightly different. What I would like to do is split these permissions between 2 new roles instead of just one. So, I'd like to make a copy of the User role (let's call it BaseRole) and remove the can edit on DAGs and can delete on DAGs permissions. Then, I would like to make a new empty role (with no permissions) and then add only the DAG specific permissions can read on DAG:<dag-name> and can edit on DAG:<dag-name>. Finally, I'd like to add both of these roles to a user, and I expect the exact same results as in the previous paragraph. However, this does not work. The user is able to turn the DAG on and off, but is unable to view the DAG or perform any actions like running a task.
What you think should happen instead
We should be able to split permissions between 2 different roles rather than requiring a single role to have all appropriate permissions. Functionality with all desired permissions in one role should be identical to those same permissions split between 2 roles.
How to reproduce
Make a copy of the User role (let's call it BaseRole) and remove the can edit on DAGs and can delete on DAGs permissions.
Make a new empty role (with no permissions, let's call it TestRole) and then add only the DAG specific permissions for 1 DAG (can read on DAG:<dag-name> and can edit on DAG:<dag-name>).
Create a new user called TestUser with only the above 2 roles BaseRole and TestRole
Log into Airflow as the TestUser and try to access the <dag-name> DAG. You should see it in the interface as expected, and will be able to turn it on or off from the homepage, but if you try to click into it to see the tasks, it will fail with Access is denied.
Operating System
Running in Docker on Kubernetes
Versions of Apache Airflow Providers
None relevant to this issue
Deployment
Other 3rd-party Helm chart
Deployment details
We have written a customized Helm chart for our purposes with some extra resources like service accounts and things. We are extending the existing official Airflow Helm chart:
I should note that the reasoning behind our desire for this functionality is so that for new roles, all we have to do is set up the AUTH_ROLE_MAPPING for the new Role and then permissions can be managed directly in DAG code with access_control rather than requiring the manual step of copying a role for every new Role we want.
Apache Airflow version
2.2.4
What happened
We would like to set up DAG specific permissions for users of our Airflow instance. We use LDAP for authentication, and have gotten AUTH_ROLES_MAPPING working correctly. Our issue lies on the Airflow FAB roles side.
I followed the instructions in this youtube video to set up DAG specific access:
https://www.youtube.com/watch?v=s6TygwvYdN0
In that video, I was instructed to make a copy of the
User
role, rename it, remove thecan read on DAGs
andcan edit on DAGs
permissions, and then add DAG specific permissions to read and edit the specific DAG I want to grant access to. After assigning this role to a user, this works just fine as expected.Our desired use-case is slightly different. What I would like to do is split these permissions between 2 new roles instead of just one. So, I'd like to make a copy of the
User
role (let's call itBaseRole
) and remove thecan edit on DAGs
andcan delete on DAGs
permissions. Then, I would like to make a new empty role (with no permissions) and then add only the DAG specific permissionscan read on DAG:<dag-name>
andcan edit on DAG:<dag-name>
. Finally, I'd like to add both of these roles to a user, and I expect the exact same results as in the previous paragraph. However, this does not work. The user is able to turn the DAG on and off, but is unable to view the DAG or perform any actions like running a task.What you think should happen instead
We should be able to split permissions between 2 different roles rather than requiring a single role to have all appropriate permissions. Functionality with all desired permissions in one role should be identical to those same permissions split between 2 roles.
How to reproduce
User
role (let's call itBaseRole
) and remove thecan edit on DAGs
andcan delete on DAGs
permissions.TestRole
) and then add only the DAG specific permissions for 1 DAG (can read on DAG:<dag-name>
andcan edit on DAG:<dag-name>
).TestUser
with only the above 2 rolesBaseRole
andTestRole
TestUser
and try to access the<dag-name>
DAG. You should see it in the interface as expected, and will be able to turn it on or off from the homepage, but if you try to click into it to see the tasks, it will fail withAccess is denied
.Operating System
Running in Docker on Kubernetes
Versions of Apache Airflow Providers
None relevant to this issue
Deployment
Other 3rd-party Helm chart
Deployment details
We have written a customized Helm chart for our purposes with some extra resources like service accounts and things. We are extending the existing official Airflow Helm chart:
Anything else
No response
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: