[AIRFLOW-4028] Avoid Adding DAG_PERMS of All DAGs to Admin Role #4856
Conversation
For Admin users, they already have DAG permissions on special view "all_dags". It's not necessary to add DAG permissions of each single DAG to Admin role, which may add too many records into DB table (say there are 1000 DAGs, there are 2000 records to be written into permission table currently)
|
Hi @feng-tao , this PR is to address the issue I mentioned in #4569 (comment) . Understand that you don't want to go for hacky solution. Please take a look at this PR and decide if it looks good to you. Feel free to close it if it's hacky for you (as you understand the FAB SecurityManager part better than I do). Thanks. |
Codecov Report
@@ Coverage Diff @@
## master #4856 +/- ##
==========================================
+ Coverage 74.77% 74.77% +<.01%
==========================================
Files 449 449
Lines 28963 28963
==========================================
+ Hits 21657 21658 +1
+ Misses 7306 7305 -1
Continue to review full report at Codecov.
|
|
@XD-DENG , I felt the solution is a bit of hacky as it relies on Admin should use all_dags view_menu. It will break if tomorrow we decide to use something else for Admin role. And normally I don't think the Admin user will change what admin permissions. |
|
@feng-tao , understand and agree. Let me close this PR but leave the JIRA ticket open. |
Jira
Description
Currently Admin’s permissions will always be updated so it has ALL permissions, including each DAG’s “can_dag_view” and “can_dag_edit”.
Let’s say we have 1000 DAGs now: then 2000 permissions will be added to Admin role in DB, and all of them will also be shown in UI if we go to Security->Roles.
This may not be necessary as Admin role already has “can_dag_view” and “can_dag_edit” on special view “all_dags”.