You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/06/12 09:06:38 UTC
[GitHub] [airflow] KayleMaster opened a new issue #9245: Role is automatically populated with permissions ?
KayleMaster opened a new issue #9245:
URL: https://github.com/apache/airflow/issues/9245
<!--
Welcome to Apache Airflow! For a smooth issue process, try to answer the following questions.
Don't worry if they're not all applicable; just try to include what you can :-)
If you need to include code snippets or logs, please put them in fenced code
blocks. If they're super-long, please use the details tag like
<details><summary>super-long log</summary> lots of stuff </details>
Please delete these comment blocks before submitting the issue.
-->
<!--
Please complete the next sections or the issue will be closed.
This questions are the first thing we need to know to understand the context.
-->
**Apache Airflow version**: 1.10.10
**Environment**:
- **Cloud provider or hardware configuration**: AWS
- **OS**: Debian
**What happened**: Created a new role, added "can_index" and "menu_access on DAGs". After webserver restart, new roles appeared:
[can delete on Airflow, can tree on Airflow, can index on Airflow, can task stats on Airflow, can gantt on Airflow, can task instances on Airflow, can landing times on Airflow, can log on Airflow, can dag stats on Airflow, can paused on Airflow, can run on Airflow, can trigger on Airflow, can xcom on Airflow, can rendered on Airflow, can dag details on Airflow, can refresh on Airflow, can tries on Airflow, can code on Airflow, can get logs with metadata on Airflow, can dagrun clear on Airflow, can duration on Airflow, can graph on Airflow, can blocked on Airflow, can pickle info on Airflow, can clear on Airflow, can task on Airflow, can success on Airflow, can list on DagModelView, can show on DagModelView, can list on DagRunModelView, can add on DagRunModelView, muldelete on DagRunModelView, set failed on DagRunModelView, set running on DagRunModelView, set success on DagRunModelView, menu access on DAG Runs, menu access on Browse, can list on JobModelView, menu access on Jobs, can list on LogModelView, menu access on Logs, can list on SlaMissModelView, menu access on SLA Misses, can list on TaskInstanceModelView, clear on TaskInstanceModelView, set failed on TaskInstanceModelView, set running on TaskInstanceModelView, set success on TaskInstanceModelView, menu access on Task Instances, menu access on Documentation, menu access on Docs, can version on VersionView, menu access on Version, menu access on About]
<!-- (please include exact error messages if you can) -->
**What you expected to happen**: Role is persistent unless changed by a user
<!-- What do you think went wrong? -->
**How to reproduce it**: Add new role with "can_index" and "menu access on DAG Runs". Restart webserver. The new role now has extra permissions.
**Anything else we need to know**: 100 % Reproducable.
I've found people with similar issue on stack overflow: https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset
And on Slack a similar issue:
```
We are currently running Airflow 1.10.9 and facing a weird issue with role permissions.
Make a copy of the Viewer role and rename it to something else (can be reproduced without renaming as well)
Refresh the Roles page a couple of times or click on Edit for the copied role
The role now has permissions which it did not have before. Even though I never added those permissions
For example, the Viewer role does not have the permission set failed on DagRunModelView while a copy of the Viewer role has that permission even though I never added it to the copied role.
```
<!--
How often does this problem occur? Once? Every time etc?
Any relevant logs to include? Put them here in side a detail tag:
<details><summary>x.log</summary> lots of stuff </details>
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dakov commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
dakov commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-670478523
I believe it's happening here https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L373 . I didn't really have time to study the method properly (it's a bit too complex), to provide a fix. But esentially, this method is called periodically and if a role is in the `EXISTING_ROLES` list, it gets "synced" with permessions defined here - https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L160 .
If a role is not in the list, its permission gets generated by the method and synced. I believe its during this process when permissions are added to the role automatically.
My hot fix is that I created a custom role, I defined it the same way as default roles are (as shown in the 2nd link) and I added the role the `EXISTING_ROLES` list. This way I cannot modify its permission in UI, but at least the role has exactly the permission I need.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-765610686
@kaxil Ok, thanks for clarifying. I think the original model is confusing, because "Dag roles" aren't any different than other roles. You can create custom roles with any permissions you want.
And yikes, I didn't realize you could handle access control on the actual DAG. That majorly bums me out.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] avenkatraman commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
avenkatraman commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-763328718
Can any of the devs comment on a workaround that doesn't involve modifying the Airflow source code? Preventing users from deleting Airflow DAGs, DAGRuns, etc should be easy to do.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil closed issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil closed issue #9245:
URL: https://github.com/apache/airflow/issues/9245
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-765121786
@kaxil The bug seems related to the method `create_custom_dag_permission_view`. I don't quite follow the logic of the method though, as it seems to reference outdated behaviors. Do you know if there used to be dag-specific roles?
https://github.com/apache/airflow/blame/master/airflow/www/security.py#L449
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-764114408
@jhtimmins Can you please replicate it on 1.10.14 and 2.0.0 and take a deeper look at this -- hopefully we can fix it for 1.10.15 and 2.0.0
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil edited a comment on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil edited a comment on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-764114408
@jhtimmins Can you please replicate it on 1.10.14 and 2.0.0 and take a deeper look at this -- hopefully we can fix it for 1.10.15 and 2.0.1
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil closed issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil closed issue #9245:
URL: https://github.com/apache/airflow/issues/9245
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-765121786
@kaxil The bug seems related to the method `create_custom_dag_permission_view`. I don't quite follow the logic of the method though, as it seems to reference outdated behaviors. Do you know if there used to be dag-specific roles?
https://github.com/apache/airflow/blame/master/airflow/www/security.py#L449
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ervazquez commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
ervazquez commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-674958390
> I believe it's happening here https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L373 . I didn't really have time to study the method properly (it's a bit too complex), to provide a fix. But esentially, this method is called periodically and if a role is in the `EXISTING_ROLES` list, it gets "synced" with permessions defined here - https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L160 .
>
> If a role is not in the list, its permission gets generated by the method and synced. I believe its during this process when permissions are added to the role automatically.
>
> My hot fix is that I created a custom role, I defined it the same way as default roles are (as shown in the 2nd link) and I added the role the `EXISTING_ROLES` list. This way I cannot modify its permission in UI, but at least the role has exactly the permission I need.
@dakov I've been experiencing similar issues creating roles and getting them to work using the Airflow UI (version 1.10.11). I want to test your method. I tried the following:
1. modifying the script `./venv/lib/python3.7/site-packages/airflow/www_rbac/security.py` which is what I believe you were suggesting.
2. Running `airflow sync_perm` in the webserver
Does not seem to be working for me. Please let me know if I'm missing something here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] domagojulamec commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
domagojulamec commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-670496803
@dakov, your workaround worked for me.
I created a new Role thru GUI, assigned it to a user.
It populated it with all sorts of unwanted permissions.
Went to edit security.py and added the name of the new Role to the EXISTING_ROLES array.
Returned to GUI to fix the permissions of the role.
Now they stick like glue.
Currently in the process of testing all sorts of cases to see if it will repopulate with unwanted permissions.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil edited a comment on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil edited a comment on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-764114408
@jhtimmins Can you please replicate it on 1.10.14 and 2.0.0 and take a deeper look at this -- hopefully we can fix it for 1.10.15 and 2.0.1
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dakov commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
dakov commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-665447817
Happens to me on 1.10.11 with `can delete on Airflow` and `muldelete on DagRunModelView`. Also when I create a new empty role it is (within seconds) populated with a whole set of "default(?)" permissions. I guess that when I remove one of them, it is recreated after some cycle. It doesn't happen with the `public` role which remains empty.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] domagojulamec edited a comment on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
domagojulamec edited a comment on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-670470003
This happened to me on these three versions on which i tested RBAC: 1.10.5 & 1.10.8 & 1.10.11.
On 1.10.8 it somehow mananaged to not populate it a few times i logged in/out and then all of a sudden it did it again.
Any clues could this be an external thing, such as javascript or something that populates the role window?
Other people have had this issue on version 1.10.6:
https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset
This is a serious issue, RBAC is not RBAC with this bug.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] domagojulamec commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
domagojulamec commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-670470003
This happened to me on these three versions on which i tested RBAC: 1.10.5 & 1.10.8 & 1.10.11.
On 1.10.8 it somehow mananaged to not populate it a few times i logged in/out and then all of a sudden it did it again.
Any clues could this be an external thing, such as javascript or something that populates the role window?
This is a serious issue, RBAC is not RBAC with this bug.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-764114408
@jhtimmins Can you please replicate it on 1.10.14 and 2.0.0 and take a deeper look at this -- hopefully we can fix it for 1.10.15 and 2.0.0
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil edited a comment on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil edited a comment on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-765598882
> https://github.com/apache/airflow/blame/master/airflow/www/security.py#L449
I think it just means creating a new role with Dag-level permissions as explained in https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-role
We could also do define access control for that DAG in the DAG itself:
https://github.com/apache/airflow/blob/39d90579843ac2627cd3d46f784304adacf372ed/tests/serialization/test_dag_serialization.py#L155-L164
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on issue #9245: Role is automatically populated with permissions ?
Posted by GitBox <gi...@apache.org>.
kaxil commented on issue #9245:
URL: https://github.com/apache/airflow/issues/9245#issuecomment-765598882
> https://github.com/apache/airflow/blame/master/airflow/www/security.py#L449
I think it just means creating a new role with Dag-level permissions as explained in https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-role
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org