DAG-level permissions for /dags/{dag_id}/clearTaskInstances
is incorrect
#43140
Labels
area:auth
kind:bug
This is a clearly a bug
kind:documentation
needs-triage
label for new issues that we didn't triage yet
What do you see as an issue?
The documentation on DAG level permissions states that the permissions
DAGs.can_edit
,DAG Runs.can_read
,Task Instances.can_edit
are required for the endpoint/dags/{dag_id}/clearTaskInstances
.Solving the problem
The permissions for the endpoint
/dags/{dag_id}/clearTaskInstances
areDAGs.can_edit
,DAG Runs.can_edit
,Task Instances.can_edit
. The method is also "PUT" not "POST".In Airflow 2.8.0, the clear endpoint updated (see PR) to use the requires_access_dag function which leverages is_authorized_dag. More importantly, the SAME resource method is used to check against each resource entity. The clear method passes the "PUT" resource method which translates to "ACTION_CAN_EDIT".
The logic translates to requiring the following permissions.
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG)
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG_RUN)
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE)
Anything else
I did not check the other DAG level permissions. I recommend verifying each entry.
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: