Return raw import-error stacktrace when file has no registered Dag#67465
Merged
vatsrahul1001 merged 2 commits intoMay 25, 2026
Merged
Conversation
The Import Errors API used to fall back to a redaction message for files that have no `DagModel` row yet (parse failed before any Dag was defined, or all Dags removed). The fallback was a placeholder, not a real authorization decision -- it left admins unable to read the actual stacktrace, and it did not respect multi-team isolation. Restore the previous behavior of returning the raw stacktrace in this case until a proper admin-only path is in place. The dedicated permission and multi-team scoping are tracked in apache#67461. The other changes from the per-file authorization work -- matching on `relative_fileloc + bundle_name` and splitting the list-endpoint CTE so the per-file authorization check sees the full Dag set -- stay in place.
potiuk
requested review from
bugraoz93,
choo121600,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar and
shubhamraj-git
as code owners
potiuk
added
the
backport-to-v3-2-test
vatsrahul1001
added
type:bug-fix
Lee-W
approved these changes
May 25, 2026
vatsrahul1001
approved these changes
May 25, 2026
vatsrahul1001
added
the
backport-to-v3-2-test
Contributor
Backport successfully created: v3-2-testNote: As of Merging PRs targeted for Airflow 3.X In matter of doubt please ask in #release-management Slack channel.
|
vatsrahul1001
added a commit
that referenced
this pull request
May 25, 2026
…tered Dag (#67465) (#67478) The Import Errors API used to fall back to a redaction message for files that have no `DagModel` row yet (parse failed before any Dag was defined, or all Dags removed). The fallback was a placeholder, not a real authorization decision -- it left admins unable to read the actual stacktrace, and it did not respect multi-team isolation. Restore the previous behavior of returning the raw stacktrace in this case until a proper admin-only path is in place. The dedicated permission and multi-team scoping are tracked in #67461. The other changes from the per-file authorization work -- matching on `relative_fileloc + bundle_name` and splitting the list-endpoint CTE so the per-file authorization check sees the full Dag set -- stay in place. (cherry picked from commit 93a078a) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Co-authored-by: Rahul Vats <43964496+vatsrahul1001@users.noreply.github.com>
vatsrahul1001
added a commit
that referenced
this pull request
May 25, 2026
…tered Dag (#67465) (#67478) The Import Errors API used to fall back to a redaction message for files that have no `DagModel` row yet (parse failed before any Dag was defined, or all Dags removed). The fallback was a placeholder, not a real authorization decision -- it left admins unable to read the actual stacktrace, and it did not respect multi-team isolation. Restore the previous behavior of returning the raw stacktrace in this case until a proper admin-only path is in place. The dedicated permission and multi-team scoping are tracked in #67461. The other changes from the per-file authorization work -- matching on `relative_fileloc + bundle_name` and splitting the list-endpoint CTE so the per-file authorization check sees the full Dag set -- stay in place. (cherry picked from commit 93a078a) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Co-authored-by: Rahul Vats <43964496+vatsrahul1001@users.noreply.github.com>
vatsrahul1001
added a commit
that referenced
this pull request
May 25, 2026
…tered Dag (#67465) (#67478) The Import Errors API used to fall back to a redaction message for files that have no `DagModel` row yet (parse failed before any Dag was defined, or all Dags removed). The fallback was a placeholder, not a real authorization decision -- it left admins unable to read the actual stacktrace, and it did not respect multi-team isolation. Restore the previous behavior of returning the raw stacktrace in this case until a proper admin-only path is in place. The dedicated permission and multi-team scoping are tracked in #67461. The other changes from the per-file authorization work -- matching on `relative_fileloc + bundle_name` and splitting the list-endpoint CTE so the per-file authorization check sees the full Dag set -- stay in place. (cherry picked from commit 93a078a) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Co-authored-by: Rahul Vats <43964496+vatsrahul1001@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Import Errors API used to fall back to a redaction message for files that have no
DagModelrow yet (parse failed before any Dag was defined, or all Dags removed). The fallback was a placeholder, not a real authorization decision -- it left admins unable to read the actual stacktrace, and it did not respect multi-team isolation.Restore the previous behavior of returning the raw stacktrace in this case until a proper admin-only path is in place. The dedicated permission and multi-team scoping are tracked in
#67461.
The other changes from the per-file authorization work -- matching on
relative_fileloc + bundle_nameand splitting the list-endpoint CTE so the per-file authorization check sees the full Dag set -- stay in place.Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.