DAG-level permissions for /dags/{dag_id}/clearTaskInstances is incorrect
#43140
Labels
area:auth
kind:bug
This is a clearly a bug
kind:documentation
needs-triage
label for new issues that we didn't triage yet
Comments
wolfier
added
kind:bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What do you see as an issue?
The documentation on DAG level permissions states that the permissions
DAGs.can_edit,DAG Runs.can_read,Task Instances.can_editare required for the endpoint/dags/{dag_id}/clearTaskInstances.Solving the problem
The permissions for the endpoint
/dags/{dag_id}/clearTaskInstancesareDAGs.can_edit,DAG Runs.can_edit,Task Instances.can_edit. The method is also "PUT" not "POST".In Airflow 2.8.0, the clear endpoint updated (see PR) to use the requires_access_dag function which leverages is_authorized_dag. More importantly, the SAME resource method is used to check against each resource entity. The clear method passes the "PUT" resource method which translates to "ACTION_CAN_EDIT".
The logic translates to requiring the following permissions.
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG)
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG_RUN)
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE)
Anything else
I did not check the other DAG level permissions. I recommend verifying each entry.
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: