You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2023/12/17 15:38:08 UTC
(airflow) branch main updated: Update permission docs (#36120)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f7f7183617 Update permission docs (#36120)
f7f7183617 is described below
commit f7f71836175b81484fe6afb147a58e1ca6d00f4d
Author: Pankaj Singh <98...@users.noreply.github.com>
AuthorDate: Sun Dec 17 21:08:00 2023 +0530
Update permission docs (#36120)
Add admin permission too on the page and fix some typo
---
.../fab/auth_manager/security_manager/override.py | 2 ++
docs/apache-airflow/security/access-control.rst | 35 +++++++++++++++-------
2 files changed, 26 insertions(+), 11 deletions(-)
diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py b/airflow/providers/fab/auth_manager/security_manager/override.py
index a15168f9ca..58013cd89a 100644
--- a/airflow/providers/fab/auth_manager/security_manager/override.py
+++ b/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -278,6 +278,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
]
# [END security_op_perms]
+ # [START security_admin_perms]
ADMIN_PERMISSIONS = [
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_RESCHEDULE),
@@ -288,6 +289,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
(permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
]
+ # [END security_admin_perms]
###########################################################################
# DEFAULT ROLE CONFIGURATIONS
diff --git a/docs/apache-airflow/security/access-control.rst b/docs/apache-airflow/security/access-control.rst
index 263f962339..86ddfde1b4 100644
--- a/docs/apache-airflow/security/access-control.rst
+++ b/docs/apache-airflow/security/access-control.rst
@@ -38,11 +38,6 @@ By default, only ``Admin`` users can configure/alter permissions for roles. Howe
it is recommended that these default roles remain unaltered, and instead ``Admin`` users
create new roles with the desired permissions if changes are necessary.
-Admin
-^^^^^
-``Admin`` users have all possible permissions, including granting or revoking permissions from
-other users.
-
Public
^^^^^^
``Public`` users (anonymous) don't have any permissions.
@@ -74,6 +69,16 @@ Op
:start-after: [START security_op_perms]
:end-before: [END security_op_perms]
+Admin
+^^^^^
+``Admin`` users have all possible permissions, including granting or revoking permissions from
+other users. ``Admin`` users have ``Op`` permission plus additional permissions:
+
+.. exampleinclude:: /../../airflow/providers/fab/auth_manager/security_manager/override.py
+ :language: python
+ :start-after: [START security_admin_perms]
+ :end-before: [END security_admin_perms]
+
Custom Roles
'''''''''''''
@@ -152,12 +157,12 @@ Endpoint
/importErrors/{import_error_id} GET ImportError.can_read Viewer
/health GET None Public
/version GET None Public
-/pools GET Pool.can_read Op
-/pools POST Pool.can_create Op
-/pools/{pool_name} DELETE Pool.can_delete Op
-/pools/{pool_name} GET Pool.can_read Op
-/pools/{pool_name} PATCH Pool.can_edit Op
-/providers GET Provider.can_read Op
+/pools GET Pools.can_read Op
+/pools POST Pools.can_create Op
+/pools/{pool_name} DELETE Pools.can_delete Op
+/pools/{pool_name} GET Pools.can_read Op
+/pools/{pool_name} PATCH Pools.can_edit Op
+/providers GET Providers.can_read Op
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read Viewer
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id} GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read Viewer
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/links GET DAGs.can_read, DAG Runs.can_read, Task Instances.can_read Viewer
@@ -173,7 +178,15 @@ Endpoint
/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances/{task_id}/xcomEntries/{xcom_key} GET DAGs.can_read, DAG Runs.can_read, Viewer
Task Instances.can_read, XComs.can_read
/users GET Users.can_read Admin
+/users POST Users.can_create Admin
/users/{username} GET Users.can_read Admin
+/users/{username} PATCH Users.can_edit Admin
+/users/{username} DELETE Users.can_delete Admin
+/roles GET Roles.can_read Admin
+/roles POST Roles.can_create Admin
+/roles/{role_name} GET Roles.can_read Admin
+/roles/{role_name} PATCH Roles.can_edit Admin
+/roles/{role_name} DELETE Roles.can_delete Admin
================================================================================== ====== ================================================================= ============