You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2019/09/27 13:22:00 UTC
[jira] [Commented] (AIRFLOW-5562) Skip grant single DAG permissions
for Admin role
[ https://issues.apache.org/jira/browse/AIRFLOW-5562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939445#comment-16939445 ]
ASF GitHub Bot commented on AIRFLOW-5562:
-----------------------------------------
icyfox-bupt commented on pull request #6199: [AIRFLOW-5562] Skip grant single DAG permissions for Admin role.
URL: https://github.com/apache/airflow/pull/6199
Make sure you have checked _all_ steps below.
### Jira
- https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-5562
### Description
- [X] Here are some details about my PR, including screenshots of any UI changes:
This PR is aim to improve airflow security logic, it skip granting DAG permissions to Admin role when refresh dag or restart Airflow. As Admin role has the access to all_dags, we don't need grant the permission to it.
Besides, too many permissions will cause WebUI full of text and some performance issues in DB.
### Tests
- [X] My PR adds does not need testing for this extremely good reason: The function didn't have test case before.
### Commits
- [X] My commits all reference Jira issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [X] In case of new functionality, my PR adds documentation that describes how to use it.
- All the public functions and the classes in the PR contain docstrings that explain what it does
- If you implement backwards incompatible changes, please leave a note in the [Updating.md](https://github.com/apache/airflow/blob/master/UPDATING.md) so we can assign it to a appropriate release
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Skip grant single DAG permissions for Admin role
> ------------------------------------------------
>
> Key: AIRFLOW-5562
> URL: https://issues.apache.org/jira/browse/AIRFLOW-5562
> Project: Apache Airflow
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.10.3, 1.10.4, 1.10.5
> Reporter: Liu Xuesi
> Priority: Major
> Labels: security, security-groups
> Attachments: admin_permission_full_of_dags.jpg
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> From AIRFLOW-2267,there is a function named *update_admin_perm_view* will refresh admin permission then add ALL permission to Admin role.
> But, DAG level access make each DAG a MenuView, these views will be grant to Admin role. As Admin role already have access to *all_dags*, these permissions actually make Admin role's permission more chaotic.
> In my project, it is hard to check permissions in webUI and actually this lead to some performance issues.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)