diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py b/airflow/providers/fab/auth_manager/security_manager/override.py index 901193386b49d2..0757f57234f196 100644 --- a/airflow/providers/fab/auth_manager/security_manager/override.py +++ b/airflow/providers/fab/auth_manager/security_manager/override.py @@ -203,7 +203,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_viewer_perms] VIEWER_PERMISSIONS = [ - (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_DEPENDENCIES), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_CODE), @@ -233,7 +232,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS_MENU), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_JOB), - (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_PLUGIN), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_SLA_MISS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_INSTANCE), @@ -281,6 +279,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_admin_perms] ADMIN_PERMISSIONS = [ + (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), + (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_RESCHEDULE), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TRIGGER), diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index dfc67dbac56265..329e54670b9b65 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -106,11 +106,13 @@ sensitive information accessible through connection configuration. They also have the ability to create a Webserver Denial of Service situation and should be trusted not to misuse this capability. +Only admin users have access to audit logs. + Operations users ................ The primary difference between an operator and admin is the ability to manage and grant permissions -to other users - only admins are able to do this. Otherwise assume they have the same access as an admin. +to other users, and access audit logs - only admins are able to do this. Otherwise assume they have the same access as an admin. Connection configuration users .............................. @@ -134,6 +136,14 @@ Regular users They can view and interact with the UI and API. They are able to view and edit DAGs, task instances, and DAG runs, and view task logs. +Viewer users +............ + +They can view information related to DAGs, in a read only fashion, task logs, and other relevant details. +This role is suitable for users who require read-only access without the ability to trigger or modify DAGs. + +Viewers also do not have permission to access audit logs. + For more information on the capabilities of authenticated UI users, see :doc:`apache-airflow-providers-fab:auth-manager/access-control`. Capabilities of DAG Authors diff --git a/newsfragments/37501.significant.rst b/newsfragments/37501.significant.rst new file mode 100644 index 00000000000000..0fe82850b38893 --- /dev/null +++ b/newsfragments/37501.significant.rst @@ -0,0 +1,9 @@ +The audit_logs permissions have been updated for heightened security. + +This was done under the policy that we do not want users like Viewer, Ops, +and other users apart from Admin to have access to audit_logs. The intention behind +this change is to restrict users with less permissions from viewing user details +like First Name, Email etc. from the audit_logs when they are not permitted to. + +The impact of this change is that the existing users with non admin rights won't be able +to view or access the audit_logs, both from the Browse tab or from the DAG run.