New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import errors thrown by *new* DAGs are hidden from RBAC users' web ui #24742
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
Hmm this is difficult. Since the file cannot be parsed, a DAG can never be produced, and thus the associated ImportError cannot have a valid Perhaps we should add a new interface on the security manager, say |
I think, personally, this problem is simply part of multi-tenancy in the future. I think for now custom security manager doing stuff in custom way is enough, because we have no concept of "team" and per-team acces. This is all implemented by a custom security manager if somoene wishes to do it (and yeah, it is complex and workaround). However, I think when/if we implement a "fully fledged" team managemenet and ownership concept in Airfow, we should definitely make it a case to handle. |
Its been a while any idea when this feature will be released ? I need this functionality for multi tenancy use cases in GCP composer. |
The answer is pretty much always the same - It will be implemented, when someone implements it. This is how open-source software works. If somone badly needs a feature in OSS project, and no-one is actually doing it, then they can do various things:
I think following those are some of the ways you can make those things progress. |
I plan to implement a fix for this issue and submit a pr soon, as my team needs it. |
I have written a fix. It will appear in a PR soon. |
hi @jordanbecketmoore ! currently in my organization we have came across with this issue, any progress on this issue yet? |
This issue has been automatically marked as stale because it has been open for 365 days without any activity. There has been several Airflow releases since last activity on this issue. Kindly asking to recheck the report against latest Airflow version and let us know if the issue is reproducible. The issue will be closed in next 30 days if no further activity occurs from the issue author. |
Apache Airflow version
2.3.2 (latest released)
What happened
I wrote a custom security manager that created custom roles for Airflow users based on LDAP mapping. These users would only be given permissions to view, edit, etc. DAGs whose access_control parameters explicitly permitted their role to view. However, it was discovered that if a malformed DAG file was added to the DAG_FOLDER, an import error would be thrown, but none of the users in custom roles would be able to view it in their web ui. A user with a default Viewer or greater role could see the error, however.
Upon further investigation, I found that this occurs due to a filter that is applied here. If a DAG file is scanned for the first time and causes an import error to be thrown, two things happen that prevent the error from passing this filter and showing on the web ui to RBAC users:
What you think should happen instead
It is important for developers to be able to see the traceback of the errors thrown by their DAGs. One of two things needs to be changed - either the way in which import errors are handled is changed to allow these malformed DAGs to pass the filter (i.e. the DAG is added to the database and the appropriate roles are given the appropriate permissions), or the filter itself is changed to allow these import errors to be shown. The former option is, in my opinion, preferable, since it would also allow the web ui to list the DAG, allowing the users to view the code from there. Also, I can't think of a way to pull off the latter.
How to reproduce
Operating System
Amazon Linux 2
Versions of Apache Airflow Providers
No response
Deployment
MWAA
Deployment details
Airflow is deployed on an AWS cluster, with its webserver and scheduler on EC2 instances using celery worker nodes on separate EC2s.
Anything else
I have been able to get around this with a custom security manager that overwrites the create_dag_specific_permissions function. The DagBag is loaded from the DAG_FOLDER instead of the database. Then the security manager iterates over the DagBag's import errors and checks to see if the DagBag contains a DAG whose fileloc is the same as that of the import error. If not, a new DAG object is created with the appropriate fileloc. Regex is used to parse the file to find the dag_id and access_control parameters to add to the new DAG. If the DAG is so malformed that it cannot find these parameters, the security manager generates a random string to serve as the dag_id and sets access_control to explicitly give all custom roles can_view permissions. This new "pseudoDAG" is then added to the DagBag. After all import errors are dealt with, the function is allowed to continue. This function is triggered when the cli command
airflow sync-perm --include-dags
is executed.Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: