Reputation: 10703
Airflow - DAG level access control
I am struggling to set up DAG level access control in Airflow 2.1.0. The aim is to let user see and control a single DAG and its runs, but nothing else. Trying to follow docs on access control and barely documented access_control parameter of DAG I'm setting up a minimal scenario:
- Role
my_rolewithcan read on Website - User
my_userwith rolemy_role - DAG
my_dagwithDAG(..., access_control: {'my_role': ['can_read', 'can_edit']})
This partially works. I can log in as my_user and see only my_dag in the list of DAGs. I cannot however view the DAG clicking on it, trigger it or view its runs. I tried to add extra global permissions like read on DAG Runs / Task Instances, but didn't help. The only thing that worked is being able to trigger the DAG with global create on DAG Runs permission (I'm not sure if I'm able to trigger any DAG now just by issuing proper request, didn't check).
So is this possible to achieve? Am I missing something maybe?
Upvotes: 5
Views: 9631
Answers (1)
Reputation: 146
You are missing following permissions can read on DAG Runs, can read on Task Instances, can edit on DAG Runs, can read on DAG Code, can read on Task Logs added to my_role
Also note that access_control attribute in DAG is outdated and is not needed anymore as you can setup that at role level with permission can xxx on DAG:dag_id where xxx is read or edit and dag_id is an id you set at your DAG definition
Upvotes: 3
Related Questions
- How to get Airflow user who manually trigger a DAG?
- Airflow dags subdirectory - role permissions
- Triggering Airflow DAG via API
- Sharing information between DAGs in airflow
- Airflow: Creating a DAG in airflow via UI
- Limit Airflow DAG Visibility By AD/LDAP Groups
- Airflow User Access management
- Airflow Configuring AD/LDAP Admin Users And Regular Users
- Apache Airflow: User creation, access and permissions on DAG
- Airflow webserver not filtering Dags by owner