Role is automatically populated with permissions ?

[KayleMaster]

Apache Airflow version: 1.10.10

Environment:

• Cloud provider or hardware configuration: AWS
• OS: Debian

What happened: Created a new role, added "can_index" and "menu_access on DAGs". After webserver restart, new roles appeared:
[can delete on Airflow, can tree on Airflow, can index on Airflow, can task stats on Airflow, can gantt on Airflow, can task instances on Airflow, can landing times on Airflow, can log on Airflow, can dag stats on Airflow, can paused on Airflow, can run on Airflow, can trigger on Airflow, can xcom on Airflow, can rendered on Airflow, can dag details on Airflow, can refresh on Airflow, can tries on Airflow, can code on Airflow, can get logs with metadata on Airflow, can dagrun clear on Airflow, can duration on Airflow, can graph on Airflow, can blocked on Airflow, can pickle info on Airflow, can clear on Airflow, can task on Airflow, can success on Airflow, can list on DagModelView, can show on DagModelView, can list on DagRunModelView, can add on DagRunModelView, muldelete on DagRunModelView, set failed on DagRunModelView, set running on DagRunModelView, set success on DagRunModelView, menu access on DAG Runs, menu access on Browse, can list on JobModelView, menu access on Jobs, can list on LogModelView, menu access on Logs, can list on SlaMissModelView, menu access on SLA Misses, can list on TaskInstanceModelView, clear on TaskInstanceModelView, set failed on TaskInstanceModelView, set running on TaskInstanceModelView, set success on TaskInstanceModelView, menu access on Task Instances, menu access on Documentation, menu access on Docs, can version on VersionView, menu access on Version, menu access on About]

What you expected to happen: Role is persistent unless changed by a user

How to reproduce it: Add new role with "can_index" and "menu access on DAG Runs". Restart webserver. The new role now has extra permissions.

Anything else we need to know: 100 % Reproducable.
I've found people with similar issue on stack overflow: https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset
And on Slack a similar issue:

We are currently running Airflow 1.10.9 and facing a weird issue with role permissions.
Make a copy of the Viewer role and rename it to something else (can be reproduced without renaming as well)
Refresh the Roles page a couple of times or click on Edit for the copied role
The role now has permissions which it did not have before. Even though I never added those permissions
For example, the Viewer role does not have the permission set failed on DagRunModelView while a copy of the Viewer role has that permission even though I never added it to the copied role.

[dakov]

Happens to me on 1.10.11 with can delete on Airflow and muldelete on DagRunModelView. Also when I create a new empty role it is (within seconds) populated with a whole set of "default(?)" permissions. I guess that when I remove one of them, it is recreated after some cycle. It doesn't happen with the public role which remains empty.

[domagojulamec]

This happened to me on these three versions on which i tested RBAC: 1.10.5 & 1.10.8 & 1.10.11.
On 1.10.8 it somehow mananaged to not populate it a few times i logged in/out and then all of a sudden it did it again.

Any clues could this be an external thing, such as javascript or something that populates the role window?

Other people have had this issue on version 1.10.6:
https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset

This is a serious issue, RBAC is not RBAC with this bug.

[dakov]

I believe it's happening here https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L373 . I didn't really have time to study the method properly (it's a bit too complex), to provide a fix. But esentially, this method is called periodically and if a role is in the EXISTING_ROLES list, it gets "synced" with permessions defined here - https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L160 .

If a role is not in the list, its permission gets generated by the method and synced. I believe its during this process when permissions are added to the role automatically.

My hot fix is that I created a custom role, I defined it the same way as default roles are (as shown in the 2nd link) and I added the role the EXISTING_ROLES list. This way I cannot modify its permission in UI, but at least the role has exactly the permission I need.

[domagojulamec]

@dakov, your workaround worked for me.
I created a new Role thru GUI, assigned it to a user.
It populated it with all sorts of unwanted permissions.
Went to edit security.py and added the name of the new Role to the EXISTING_ROLES array.
Returned to GUI to fix the permissions of the role.
Now they stick like glue.

Currently in the process of testing all sorts of cases to see if it will repopulate with unwanted permissions.

[ervazquez]

I believe it's happening here https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L373 . I didn't really have time to study the method properly (it's a bit too complex), to provide a fix. But esentially, this method is called periodically and if a role is in the EXISTING_ROLES list, it gets "synced" with permessions defined here - https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L160 .

If a role is not in the list, its permission gets generated by the method and synced. I believe its during this process when permissions are added to the role automatically.

My hot fix is that I created a custom role, I defined it the same way as default roles are (as shown in the 2nd link) and I added the role the EXISTING_ROLES list. This way I cannot modify its permission in UI, but at least the role has exactly the permission I need.

@dakov I've been experiencing similar issues creating roles and getting them to work using the Airflow UI (version 1.10.11). I want to test your method. I tried the following:

1. modifying the script ./venv/lib/python3.7/site-packages/airflow/www_rbac/security.py which is what I believe you were suggesting.
2. Running airflow sync_perm in the webserver

Does not seem to be working for me. Please let me know if I'm missing something here.

[avenkatraman]

Can any of the devs comment on a workaround that doesn't involve modifying the Airflow source code? Preventing users from deleting Airflow DAGs, DAGRuns, etc should be easy to do.

[kaxil]

@jhtimmins Can you please replicate it on 1.10.14 and 2.0.0 and take a deeper look at this -- hopefully we can fix it for 1.10.15 and 2.0.1

[jhtimmins]

@kaxil The bug seems related to the method create_custom_dag_permission_view. I don't quite follow the logic of the method though, as it seems to reference outdated behaviors. Do you know if there used to be dag-specific roles?

https://github.com/apache/airflow/blame/master/airflow/www/security.py#L449

[kaxil]

https://github.com/apache/airflow/blame/master/airflow/www/security.py#L449

I think it just means creating a new role with Dag-level permissions as explained in https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-role

We could also do define access control for that DAG in the DAG itself:

airflow/tests/serialization/test_dag_serialization.py

Lines 155 to 164 in 39d9057

	with DAG(
	dag_id='simple_dag',
	default_args={
	"retries": 1,
	"retry_delay": timedelta(minutes=5),
	"depends_on_past": False,
	},
	start_date=datetime(2019, 8, 1),
	is_paused_upon_creation=False,
	access_control={"test_role": {permissions.ACTION_CAN_READ, permissions.ACTION_CAN_EDIT}},

[jhtimmins]

@kaxil Ok, thanks for clarifying. I think the original model is confusing, because "Dag roles" aren't any different than other roles. You can create custom roles with any permissions you want.

And yikes, I didn't realize you could handle access control on the actual DAG. That majorly bums me out.