Make pause DAG its own role separate from edit DAG

[herlambang]

Add ability to pause DAGs as separate role from edit.

Use cases

Giving users ability to running DAGs without having the ability to pause it. Also to prevent users to easily/accidentally suspend DAGs.

Scopes

• Admin UI
• API

Changes

• add ACTION_CAN_PAUSE ("can_pause") in security permissions
• set can_pause as part of accessible dag in security manager
• add can_pause dag as part of default USER_PERMISSIONS in security manager
• add function to check if user eligible to pause all/specific dags in security manager
• disable toggle Pause/Unpause DAG in home page if user is not eligible for can_pause dag
• disable toggle Pause/Unpause DAG in detail dag page if user is not eligible for can_pause dag
• disable toggle Unpause DAG when triggered in trigger form if user is not eligible for can_pause dag
• change access permission to /paused from ACTION_CAN_EDIT to ACTION_CAN_PAUSE on main view
• change access permission on patch /dags/<dag-id> and /dags from ACTION_CAN_EDIT to ACTION_CAN_PAUSE on API end point
• add can_pause on DAG Level Role access control documentation
• add migration, append can_pause permission to roles that have can_edit dag(s) permission
• add tests

closes: #22317

---

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

[ashb]

What is edit dag role used for if not pause?

[herlambang]

To trigger Dag Run, combine with dag_run can_create

[potiuk]

I think it looks good in principle, but if I understand it correctly, it is heavily breaking change and it should have support to migrate existing permission that will work in general case.

If I understand it - someone who currently has "CAN_EDIT" role will suddenly not be able to pause dags.

In other words people who could pause dags, will suddenly loose this capability without a warning?

If so, then this is a breaking change and we need to make sure that backwards compatibility is maintained. At the minimum level every role that currently has CAN_EDIT role should have CAN_PAUSE assigned during the migration.

We have to remember, that our users could have their roles assigned in arbitrary way so making sure that ADMIN user has all the permissions is not enough, because our users could have different roles defined on their own.

[herlambang]

Hi @potiuk , thanks for the feedback.
I added a migration and adjust the security manager to keep the ability of pausing DAGs with current can_edit permission.
Documentation also added and tests also adjusted.
Looking forward for further review, thanks.

(Sorry for my bad on pushing dirty commit after rebase, added several people as reviewers 🙏 )

[potiuk]

I'd need others to take a look if that change makes sense.

[potiuk]

Anyone else wants to chime in ? (and @herlambang -> you will need ot rebase and fix the conflict).

[herlambang]

(and @herlambang -> you will need ot rebase and fix the conflict).

on it!

Changes added in description, probably to make it more appealing to read

[potiuk]

Anyone here who is more into permissions? @jhtimmins @ephraimbuddy maybe ? :)

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.

[aru-trackunit]

@herlambang I love the work you've done so far. Looking forward to test it!

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.