[GitHub] [airflow] jhtimmins edited a comment on pull request #11260: Add DAG permissions based on DAG tags

[GitBox <gi...@apache.org>]

jhtimmins edited a comment on pull request #11260:
URL: https://github.com/apache/airflow/pull/11260#issuecomment-773681476


   @zacharya19 Apologies for the delay.
   
   1. This will depend on your deployment setup. If your team uses automated deployments it's very possible that a user could have merge access that will allow a DAG to get added/modified without having access to the DB. Perhaps more importantly, allowing a code-level change to modify permissions is a relatively deep coupling between two separate systems, which presents additional issues. For example, allowing tags to control access means that any time someone does a code review of a DAG change, they'll need to check the associated users with access to the associated tags, then confirm with a manager/admin user that those users are permitted to access that DAG. Now admin-level app management is tied to code deployments.
   
   2. It seems like most of the issues you described can be solved with custom roles. Since users can have multiple roles, could you not create custom roles that have access to edit/read the appropriate DAGs. Then a user that works for the internal tools team, for example, could have the roles `Viewer` and `InternalTools`. Whenever the internal tools team adds a new DAG, it's relatively simple to add that new DAG to the `InternalTools` role. 
   
   @JavierLopezT I'm interested in your thoughts for the second point as well. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org