-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AIRFLOW-3745] Fix viewer not able to view dag details #4569
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add test by creating dummy users with each role & check they have correct permissions?
Hi @feng-tao , I tried to cherry-pick this change into 1.10.2rc3 (I copied the change in your PR in I tried to log in using accounts with I believe this is not desired. Please try and let me know if you can reproduce this issue. |
@XD-DENG correct, I don't think that is the correct behavior. |
Thanks @feng-tao |
b059ecd
to
bec7b10
Compare
bec7b10
to
27ff881
Compare
Codecov Report
@@ Coverage Diff @@
## master #4569 +/- ##
=========================================
Coverage ? 74.13%
=========================================
Files ? 421
Lines ? 27714
Branches ? 0
=========================================
Hits ? 20546
Misses ? 7168
Partials ? 0
Continue to review full report at Codecov.
|
Codecov Report
@@ Coverage Diff @@
## master #4569 +/- ##
==========================================
+ Coverage 74.12% 74.13% +0.01%
==========================================
Files 421 421
Lines 27700 27715 +15
==========================================
+ Hits 20533 20547 +14
- Misses 7167 7168 +1
Continue to review full report at Codecov.
|
27ff881
to
31bfb65
Compare
CI pass(k8s one is random, transient) |
Hi @feng-tao , I tried to apply your latest change. But the issue seems still there. Using I'm using SQLite. Before testing, I have deleted the earlier .db file and run Not sure if I missed anything. @kaxil please help test as well so we can confirm. Thanks! |
@feng-tao yes, that's what I applied. But please note what I did was applying it against the I trust your testing. May you please test this fix on |
@XD-DENG , I think it shouldn't matter with npm. We only use npm to build the static access which may just cause UI off. But I try with v-10-test branch which I don't see any issues. @kaxil , do you think you could try out this branch on top v-10-test and see if you still see the issues or not? cc @seelmann and see if you could try out and see whether the viewer issue still exists or not. |
I will test this tonight. Sorry, we have an Airflow meetup tomorrow so preparing for that as well and I am on the client side as well so can't work on Airflow from 9-5. |
cc @jgao54 in case you have time to try out. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this change mean that the default roles that are created are to some extend un-editable?
@ashb , the default roles are all editable. This pr is to keep the behavior same as 10.1 which all the default roles could view the dag info detail page without Admin manually intervenes. |
Thanks. I haven't quite grokked how the RBAC roles and the Security Manager code works yet. |
@feng-tao I think the same thing could be achieved by adding |
thanks @jgao54 , correct, either way should work :) |
In that case, less (code) is more :) |
thanks @jgao54 . Will update the pr tonight. |
31bfb65
to
dd25379
Compare
@ashb , let's consolidate all the discussion in one place. And I could do some investigations in my night time(PST time zone). From what I understanding, your issues are:
|
Let me have a look at how we might do this with a migration. If we could (easily, without loads of code) replace all the role syncing code at run time, which would also have the benefit of removing the mildly annoying "duplicate" log lines:
(Cos each worker runs the checks, we do this for every worker at start, and then every 30s as the new worker cycles). |
@ashb , I see. Your deploy is based on 1.10.2 not on master? I think I fail to get this pr into 1.10.2 as the release timeline was pretty tight around the time. And I think someone said that just use UI to modify the permissions as a work around. Currently it only adds to those default roles to keep it the same behaviour as 1.10.1, but not those DAG level roles. And we do plan to write a blog on how we do DAG level access at Lyft, but just don't have enough time ATM. In terms of migrations from 1.10.1 to 1.10.2, I am not sure if it is easy to do as Airflow doesn't have the FAB model code which makes the db migration difficult. Let me know if you figure it out the right approach. |
Correct, yeah I've been testing the v1-10-stable branch to prepare 1.10.3 - though the problem would also apply to any upgraded install from 1.10 to what becomes master. So I feel we need to fix this in some way that gives an upgrade path form 1.10.x now to 2.0 as it will be - that doesn't involve manually adding things in the UI. |
correct, we shouldn't rely on UI for the operations... |
I'm sort of picturing something like (very pseudo code): from something import role_migrations as rm
def up():
p = rm.add_permission('all_dags', 'can_dag_edit')
rm.add_to_role('Op', p)
def down():
rm.remove_from_role('Op', 'all_dags', 'can_dag_edit') I haven't worked out the details yet, still a bit hazy (and I'm not 100% on the FAB data model around permissions, view menus, roles and all the many-to-many tables between them.) |
I have a question to seek @feng-tao ‘s input given we have started the discussion on this: currently Admin’s permissions will always be updated so it has ALL permissions, including each DAG’s “can_dag_view” and “can_dag_edit”. Let’s say we have 1000 DAGs now: then 2000 permissions will be added to Admin role in DB, and all of them will also be shown in UI if we go to Security->Roles. This may not be necessary as Admin role already has “can_dag_view” and “can_dag_edit” on “all_dags”. (but from another side, I also understand it’s easier to just simply give Admin ALL permissions) May you let me know your thoughts on this? |
@XD-DENG , I don't think it will add 2000 entries to the db for admin role. It only adds the "all_dags" view-menu with the 2 permissions into the table. |
Thanks @feng-tao . |
Oh thanks, I hadn't seen that diagram! |
Hi @feng-tao please refer to airflow/airflow/www/security.py Lines 440 to 453 in dda309e
Below is the version before my airflow/airflow/www/security.py Lines 440 to 452 in c552996
|
@XD-DENG somehow I thought it has only all_dags , but it seems it has everything. ATM, I didn't have time to dig deep to do this without a hacky solution. I would suggest let's leave it as it is for now. |
@feng-tao sure. Maybe let me create a ticket for this later maybe. Will tag you then for our reference. |
@feng-tao I haven't managed to finish it but I got somewhere with migrations to deal with perms: https://gist.github.com/ashb/f43741740fb0eae59948d52634cda575 The biggest issue is working out 1) what query to run, or 2) working out how to call the right classes/methods from within fab.security.* to update. |
@ashb , thanks. BTW, what do you think of moving https://github.com/apache/airflow/blob/master/airflow/www/security.py#L35-L140 inside AirflowSecurityManager so that we could redefine permission on different roles by subclassing the security manager? |
Yes that probably makes sense to do. |
All of the code for this has been already applied in resolving conflicts in previous cherry picks, so this just brings along the tests. Mostly so that future PRs don't conflict (cherry picked from commit c2f48ed)
All of the code for this has been already applied in resolving conflicts in previous cherry picks, so this just brings along the tests. Mostly so that future PRs don't conflict (cherry picked from commit c2f48ed)
All of the code for this has been already applied in resolving conflicts in previous cherry picks, so this just brings along the tests. Mostly so that future PRs don't conflict (cherry picked from commit c2f48ed)
Make sure you have checked all steps below.
Jira
Description
To stick with existing RBAC which Admin, Op, User, Viewer view all dags.
Tests
Commits
Documentation
Code Quality
flake8