-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix inconsitencies in checking edit permissions for a DAG #20346
Conversation
This looks right to me but I had issues with my local setup to test nor is python my strong suit. |
Fwiw, this isn't how permissions are documented: Have we tried this in an instance with a large number of DAGs? |
re: Optimization -- we have a short-circuit too, i.e. as soon as we find "can_edit" on "DAG" we return, check the following source: Source Code: airflow/airflow/www/security.py Lines 288 to 290 in fc0fb22
airflow/airflow/www/security.py Lines 320 to 322 in fc0fb22
|
I'm just saying that, regardless of what security manager is in use, global It'll eventually short-circuit, but in the worst case scenario what impact do we have by not using the more efficient short circuit? |
What do you think about - 66a7033? |
Looks good. |
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another test error is
sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <Permission at 0x7efe63460b10>
is not bound to a Session; lazy load operation of attribute 'action' cannot proceed
It’s emitted from get_current_user_permissions
, but I’m struggling to find where this PR changed could cause this incorrect join.
Should we make the |
Do we want to include this in 2.3.1? |
Too late for 2.3.1 I'm afraid. |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
Yeah still needed |
I will try to get to it in next couple of weeks but if I don't get to it feel free to take-over / close PR -- it is a minor one |
cc: @kaxil |
Needs rebase I am afraid. |
6488e72
to
9d27cda
Compare
We were short-circuting permission in the views instead of letting the security manager handle that. A user will find it inconsistent as the Graph and other views check "per-dag" permissions via https://github.com/apache/airflow/blob/174681911f96f17d41a4f560ca08d5e200944f7f/airflow/www/views.py#L579 so if someone uses Custom Security Manager that will end up with user not being able to "pause" DAG from individual dag page but would be able to do so from Homepage. This PR fixes this inconsistency and gives back this responsibility of permissions to security manager instead if Views.
9d27cda
to
f934c79
Compare
We were short-circuting permission in the views instead of letting the security manager handle that. A user will find it inconsistent as the Graph and other views check "per-dag" permissions via https://github.com/apache/airflow/blob/174681911f96f17d41a4f560ca08d5e200944f7f/airflow/www/views.py#L579 so if someone uses Custom Security Manager that will end up with user not being able to "pause" DAG from individual dag page but would be able to do so from Homepage. This PR fixes this inconsistency and gives back this responsibility of permissions to security manager instead if Views. (cherry picked from commit 87ea8ac)
We were short-circuting permission in the views instead of letting the security manager handle that. A user will find it inconsistent as the Graph and other views check "per-dag" permissions via
airflow/airflow/www/views.py
Line 579 in 1746819
so if someone uses Custom Security Manager that will end up with user not being able to "pause" DAG from individual dag page but would be able to do so from Homepage. This PR fixes this inconsistency and gives back this responsibility of permissions to security manager instead if Views.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.