Dataset DEL/POST API should also check the access_control at DAG level if defined #42846
Open
1 of 2 tasks
Labels
area:API
Airflow's REST/HTTP API
area:core
area:datasets
Issues related to the datasets feature
kind:bug
This is a clearly a bug
needs-triage
label for new issues that we didn't triage yet
Apache Airflow version
2.10.2
If "Other Airflow 2 version" selected, which one?
No response
What happened?
Let's say we have a DAG called DAG_A with several tasks and one of the task will trigger a dataset update.
Right now, one user with a role which "can create on Datasets" will have the permission to trigger an event for this dataset, even this user doesn't have any role with dag run permissions to the DAG_A or DAG_A's downstream DAGs
What you think should happen instead?
To support DAG level access control, in order to trigger a dataset update event, besides the "can create on Datasets" permission, the user should also:
So in this case, in order to call the API to create a dataset event, beside a role with permission to "can create on Datasets", this user need to be in Role_A( if he/she is the upstream owner), or both Role_B and Role_C (If he/she is the downstream owner )
How to reproduce
create 3 users with 3 roles:
Create 2 DAGs with dag level access control defined in DAG:
Then use user C to call the Airflow API
Operating System
Debian 12
Versions of Apache Airflow Providers
No response
Deployment
Official Apache Airflow Helm Chart
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: