Airflow dags subdirectory - role permissions

Question

I have an Airflow problem that seems very simple but I'm stuck with it.

I have a subdirectory (named student_dags) in my dags folder. That subdirectory has dags (python scripts). In the Airflow UI I can see the dags from my dags folder as well as the dags in the student_dags sub-folder (I have admin role). I created a new role (student) and only want to give access to dags in the student_dags subdirectory.

I tried to change permission but I can't seem to find the subdirectory name "student_dags" in there or any of the dags in the subdirectory while I'm on the permissions page. (I cannot do Read on DAGs because they'll be able to see dags in the dags folder (which I don't want them to have access to) and the dags in student_dags folder).

This seems pretty simple but I would appreciate if anyone who has ever encountered something similar can help

Answer 1

Just stumbled across this question in trying to do a similar thing. Here's how I would probably go about it in your case:

1. Create a "Student" Role, and set up your auth mechanism to use this role for student accounts. This role should have very limited permissions by default (perhaps the same permissions as the "Public" role).

2. Add a DAG Policy that detects if the current DAG is located under the student_dags directory. If so, override DAG.access_control to add permissions for this DAG to the "Student" role.

   NOTE: I think this will give every student access to all other student DAGs, which may not be desired. It may be better to assign DAG permissions to individual user accounts, but I haven't yet found a good way to do this. Everything seems tied to the concept of "roles", which would mean you would need a unique role per student, which is theoretically possible but would be a pain to maintain.