DAG-level access control requires global "can read on DAGs" permission

[willyyang]

Apache Airflow version

3.0.1

If "Other Airflow 2 version" selected, which one?

No response

What happened?

DAG-level access control using the access_control parameter is not working as expected. Users with specific DAG permissions (e.g., can read on DAG:test_dag_1) cannot access the DAG list page without also having the global can read on DAGs permission, which defeats the purpose of DAG-level access control.

What you think should happen instead?

Users should be able to access DAGs when they have specific DAG permissions defined in the DAG's access_control, without requiring the global can read on DAGs permission. The DAG list should show only the DAGs the user has explicit access to.

How to reproduce

How to reproduce

1. Create a custom role (e.g., ABC_Viewer) with the following permissions:

[can read on DAG:test_dag_1, can read on DAG Dependencies, can read on DAG Code, can read on DAG Runs, can read on DAG Versions, can read on DAG Warnings, can read on Assets, can read on Asset Aliases, can read on Backfills, can read on Cluster Activity, can read on Configurations, can read on Pools, can read on ImportError, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Instances, can read on Task Logs, can read on XComs, can read on Website, menu access on Browse, menu access on DAGs, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Assets, menu access on Cluster Activity, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on SLA Misses, menu access on Task Instances]

2. Create a DAG with access control:

pythondag = DAG(
    dag_id='test_dag_1',
    start_date=datetime(2024, 1, 1),
    schedule=None,
    catchup=False,
    access_control={
        'ABC_Viewer': {'can_read'}
    }
)

task1 = EmptyOperator(
    task_id='test_dag_1',
    dag=pythondag
)

3. Assign the ABC_Viewer role to a user (verified in Security > Users that the user has this role)
4. Login as that user and navigate to the DAG list page and you will see a 403

Note

• Without global can read on DAGs permission: User gets a 403 Forbidden error when accessing the DAG list page
• With global can read on DAGs permission: User can see ALL DAGs, not just the ones specified in access_control

Expected Result

User should be able to access the DAG list page and see only test_dag_1 (the DAG they have explicit access to via access_control), without needing the global can read on DAGs permission.

Operating System

Debian GNU/Linux 12

Versions of Apache Airflow Providers

apache-airflow-providers-fab==2.0.2

Deployment

Other Docker-based deployment

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[jroachgolf84]

cc: @pierrejeambrun

[pierrejeambrun]

Thanks for reporting the issue, indeed, I think this should be the case for any listing endpoint. We should have the same issue for listing other resources (connection, variables etc...).

Marking as good first issue, it's a great way to get started with the api server contributions.

[nailo2c]

Hi, I'd like to take this one on, could you please assign it to me? :)

[willyyang]

Thanks folks, I believe we need to change the following

airflow/providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py

Lines 563 to 568 in 6846a48

	if details and details.id:
	# Check whether the user has permissions to access a specific DAG
	resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG)
	return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)
	return False

and

airflow/providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py

Lines 589 to 594 in 6846a48

	if details and details.id:
	# Check whether the user has permissions to access a specific DAG Run permission on a DAG Level
	resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG_RUN)
	return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)
	return False

to

if details and details.id:
    # Check whether the user has permissions to access a specific DAG
    resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG)
    return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)

else:
    authorized_dags = self.get_authorized_dag_ids(user=user, method=method)
    return len(authorized_dags) > 0

I patched over the code and this change seems to work.

[nailo2c]

@willyyang nice, will you be submitting a PR?