Access control error after upgrading from version 2.9.3 to 2.10.0

[FelipeRamos-neuro]

Apache Airflow version

Other Airflow 2 version (please specify below)

If "Other Airflow 2 version" selected, which one?

2.10.0

What happened?

After upgrading my Airflow deployment to the latest version, I noticed many DAG Import Errors mentioning access control

What you think should happen instead?

I have always created my dags with similar permissions such as these: {"EXAMPLE":["can_read","can_edit"]}, on access_control. Unless the documentation hasn't been updated yet, it should still work as intended.

How to reproduce

Deployment with Airflow 2.10.0 with Python 3.10 and with a dag created with similar access_control: {"EXAMPLE":["can_read","can_edit"]}

Operating System

Amazon Linux 2

Versions of Apache Airflow Providers

apache-airflow-providers-amazon==8.27.0
apache-airflow-providers-cncf-kubernetes==8.3.4
apache-airflow-providers-common-compat==1.1.0
apache-airflow-providers-common-io==1.4.0
apache-airflow-providers-common-sql==1.15.0
apache-airflow-providers-fab==1.2.2
apache-airflow-providers-ftp==3.10.1
apache-airflow-providers-http==4.12.0
apache-airflow-providers-imap==3.6.1
apache-airflow-providers-mysql==5.6.3
apache-airflow-providers-postgres==5.11.3
apache-airflow-providers-smtp==1.7.1
apache-airflow-providers-sqlite==3.8.2

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[FelipeRamos-neuro]

Some prints I forgot to add to the issue

[joaopamaral]

Hey @FelipeRamos-neuro, I was able to reproduce the error. I'll open the PR to fix it.

[joaopamaral]

FYI, the error is that we are changing the access_control format (to include the resource name) in airflow 2.10, but old FAB version doesn't know how to handle it. I'll include in the PR to send the new format only if the FAB version can deal the new format.

airflow/airflow/models/dag.py

Lines 937 to 948 in 8c2f563

	updated_access_control = {}
	for role, perms in access_control.items():
	updated_access_control[role] = updated_access_control.get(role, {})
	if isinstance(perms, (set, list)):
	# Support for old-style access_control where only the actions are specified
	updated_access_control[role][permissions.RESOURCE_DAG] = set(perms)
	else:
	updated_access_control[role] = perms
	if permissions.RESOURCE_DAG in updated_access_control[role]:
	updated_access_control[role][permissions.RESOURCE_DAG] = {
	update_old_perm(perm) for perm in updated_access_control[role][permissions.RESOURCE_DAG]
	}