DAG-level permissions set in Web UI disappear from roles on DAG sync #32839
Description
Apache Airflow version
2.6.3
What happened
Versions: 2.6.2, 2.6.3, main
PR #30340 introduced a bug that happens whenever a DAG gets updated or a new DAG is added
Potential fix: Adding the code that was removed in PR #30340 back to airflow/models/dagbag.py fixes the issue. I've tried it on the current main branch using Breeze.
What you think should happen instead
Permissions set in Web UI stay whenever a DAG sync happens
How to reproduce
- Download
docker-compose.yaml:
curl -LfO 'https://airflow.apache.org/docs/apache-airflow/2.6.2/docker-compose.yaml'- Create dirs and set the right Airflow user:
mkdir -p ./dags ./logs ./plugins ./config && \
echo -e "AIRFLOW_UID=$(id -u)" > .env- Add
test_dag.pyto ./dags:
import datetime
import pendulum
from airflow import DAG
from airflow.operators.bash import BashOperator
with DAG(
dag_id="test",
schedule="0 0 * * *",
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
catchup=False,
dagrun_timeout=datetime.timedelta(minutes=60),
) as dag:
test = BashOperator(
task_id="test",
bash_command="echo 1",
)
if __name__ == "__main__":
dag.test()- Run docker compose:
docker compose up - Create role in Web UI: Security > List Roles > Add a new record:
Name: test
Permissions:can read on DAG:test - Update
test_dag.py: changebash_command="echo 1"tobash_command="echo 2" - Check test role's permissions:
can read on DAG:testwill be removed
Another option is to add a new dag instead of changing the existing one:
6. Add another dag to ./dags, code doesn't matter
7. Restart scheduler: docker restart [scheduler container name]
9. Check test role's permissions: can read on DAG:test will be removed
Operating System
Ubuntu 22.04.1 LTS
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
Docker 24.0.2
Anything else
No response
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct