Fix inconsitencies in checking edit permissions for a DAG

[kaxil]

We were short-circuting permission in the views instead of letting the security manager handle that. A user will find it inconsistent as the Graph and other views check "per-dag" permissions via

airflow/airflow/www/views.py

Line 579 in 1746819

dag.can_edit = current_app.appbuilder.sm.can_edit_dag(dag.dag_id)

so if someone uses Custom Security Manager that will end up with user not being able to "pause" DAG from individual dag page but would be able to do so from Homepage. This PR fixes this inconsistency and gives back this responsibility of permissions to security manager instead if Views.

---

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

[bbovenzi]

This looks right to me but I had issues with my local setup to test nor is python my strong suit.

[jedcunningham]

Fwiw, this isn't how permissions are documented:
https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions

Have we tried this in an instance with a large number of DAGs?

[kaxil]

Fwiw, this isn't how permissions are documented: https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions

Have we tried this in an instance with a large number of DAGs?

current_app.appbuilder.sm.get_editable_dag_ids(g.user) logically does the same thing what existed before the PR change too -- however instead of checking the permission in the view, it hands of the permissions of doing it to the Security Manager. So if you have "can_edit" permission on the "DAG" resource, a user will by default still be able to edit/pause all the dags.

re: Optimization -- we have a short-circuit too, i.e. as soon as we find "can_edit" on "DAG" we return, check the following source:

Source Code:

airflow/airflow/www/security.py

Lines 288 to 290 in fc0fb22

	def get_editable_dag_ids(self, user) -> Set[str]:
	"""Gets the DAG IDs editable by authenticated user."""
	return self.get_accessible_dag_ids(user, [permissions.ACTION_CAN_EDIT])

airflow/airflow/www/security.py

Lines 320 to 322 in fc0fb22

	resource = permission.resource.name
	if resource == permissions.RESOURCE_DAG:
	return {dag.dag_id for dag in session.query(DagModel.dag_id)}

[jedcunningham]

I'm just saying that, regardless of what security manager is in use, global can_edit should be expected to give edit on all DAGs. We shouldn't assume all things will use get_editable_dags_ids. Maybe we add a new can_edit_all_dags as a consistent way to check for that (and that assumption-breaking security managers can always return as false)?

It'll eventually short-circuit, but in the worst case scenario what impact do we have by not using the more efficient short circuit?

[kaxil]

Add generic all read and all edit function

What do you think about - 66a7033?

[jedcunningham]

Looks good.

[github-actions]

The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.

[uranusjr]

Another test error is

sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <Permission at 0x7efe63460b10>
is not bound to a Session; lazy load operation of attribute 'action' cannot proceed

It’s emitted from get_current_user_permissions, but I’m struggling to find where this PR changed could cause this incorrect join.

[joshuayeung]

Should we make the can_create_dag_run also handled by the security manager?

[eladkal]

Do we want to include this in 2.3.1?

[jedcunningham]

Too late for 2.3.1 I'm afraid.

[jedcunningham]

@kaxil, looks like we lost changes when this happened: e20e8f6 to ea7f928

Kicking this to 2.3.4, but we can pull it back if this gets done soon enough.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.

[kaxil]

Yeah still needed

[kaxil]

I will try to get to it in next couple of weeks but if I don't get to it feel free to take-over / close PR -- it is a minor one

[ephraimbuddy]

cc: @kaxil

[potiuk]

Needs rebase I am afraid.