New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some improvements/fixes for dag_run and task_instance endpoints #34942
Conversation
Oh yeah. Two days ago I noticed the same problems while reviewing #34317 See my comments here: #34317 (comment) and #34317 (comment) (and few others). This code will go away soon (cc: @vincbeck ). But maybe it's worth to reconcile the two changes and see if all the read->edit changes are same in both (@hussein-awala and @vincbeck ?). It looks they are all the same. And maybe it makes sense to merge this change first and #34317 afterwards to clearly separate fix from the Auth manager refactor? And no - I think it should not be treated as a breaking change, the previous settings made really no sense (having access to task_instance while not having access to dag_run was wrong because by changing task_instance state you can impact state of the dag_run), however we should have a significant note about it. |
(also this change can be cherry-pickable ot 2.7.3 so that's why I think it should be merged first and cherry-picked) - provisionally marked it for 2.7.3. |
I just checked the other PR. I agree about merging this first to make the transition to the new permissions checker more clear for the users. |
Yep I agree, let's merge this one first and I'll make the change in my PR as well |
* Some improvements/fixes for dag_run and task_instance endpoints * Fix tests (cherry picked from commit 84d9940)
* Some improvements/fixes for dag_run and task_instance endpoints * Fix tests (cherry picked from commit 84d9940)
This PR updates the required permissions for some endpoints:
update_dag_run_state
,clear_dag_run
andset_dag_run_note
-> it replacescan read dag
bycan edit dag
similar to what we have in the other endpoints (for example the one used to clear TI state)post_clear_task_instances
-> it replacescan read dagrun
bycan edit dagrun
, because the endpoint accepts a parameterreset_dag_runs
to reset the dagruns states, which should check for edit on dagrun resource.set_task_instance_note
-> it removescan read dag
because it is useless, the edit permission should be sufficientI'm not sure if we consider some of these changes as breaking changes, I can create different PRs if needed.