DAG-specific permissions (DAG:*) not respected for task group view endpoints #62532
Description
Apache Airflow version
3.1.7
If "Other Airflow 3 version" selected, which one?
No response
What happened?
When using DAG-level access control with specific DAG permissions (e.g., can read on DAG:my_dag_id), users receive a 404 error when accessing the task group detail view at /dags/{dag_id}/tasks/group/{group_id}, even though they have the appropriate DAG-specific permission.
The same user with Admin role (which has the general can read on DAGs permission) can access the same URL without issues.
What you think should happen instead?
Users with DAG-specific permissions like can read on DAG:my_dag_id should be able to access all views and endpoints related to that specific DAG, including:
- Task group views (
/dags/{dag_id}/tasks/group/{group_id}) - DAG graph/structure views
- Other DAG detail pages
The DAG-level access control should be consistantly enforced across all DAG-related endpoints, not just the DAG list view.
How to reproduce
- Create a custom role (e.g.,
restricted_user) - Grant. the following permissions to the role:
can read on DAG:specific_dag_idcan read on DAG Dependenciescan read on DAG Codecan red on Task Instances- Other viewer permissions
- ** DO NOT grant ** :
can read on DAGs(general permission) - Assign a user to this role
- Log in as that user
- Try to access:
https://your-airflow/dags/specific_dag_id/tasks/group/some_task_group
expected: Task group view renders successfully
actual : 404 not found
- Add
can read on DAGspermission to the role - Access the same URL again
result: Now it works, but the user can now see ALL DAGs in the system (not desired)
Operating System
Linux / Kubernetes
Versions of Apache Airflow Providers
apache-airflow-providers-fab==3.2.0
Deployment
Other Docker-based deployment
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct