Fix dag_id extraction for dag level access checks in web ui #23015
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Properly extract dag_id from post form or json body for dag level access permissions.
Added test case for dag level access. Fixed test_success_fail_for_read_only_task_instance_access to succeed due to the right reasons.
npodewitz
requested review from
ryanahamilton,
ashb and
bbovenzi
as code owners
|
Looks legit and simple enough to be included 2.3.0. LGTM but need somone who knows more about the UI and permissions. |
potiuk
approved these changes
Apr 25, 2022
github-actions
bot
added
the
okay to merge
|
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease. |
ashb
approved these changes
Apr 25, 2022
|
Awesome work, congrats on your first merged pull request! |
|
Thanks @npodewitz! Congrats on your first commit 🎉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dag level permissions are not checked properly if a post request is sent from within the web ui (i.e. clear a task or dag run). If a user has can_read on any dag any operation that involves a post request is allowed even though the user does not have the can_write permission for this dag as far as the appropriate other permissions like edit_task_instance or edit_dag_run were granted. This is caused by the dag_id being extracted from
request.argswhich only exists for get requests (i.e. change the status of a task). OtherwiseNoneis used as dag_id inappbuilder.sm.check_authorizationwhich essentially leads to ignoring the dag level access permissions.I added two new tests for this specific issue.
While writing the tests I fixed a small issue in another test (
test_success_fail_for_read_only_task_instance_access) that resulted in the test succeeding although not for the reason that is under test here.This PR is a follow up to #21797 as discussed there and addresses the first issue.
At last let me thank you all again for your great work!