Fix ui get dags permission endpoint for user without dag run permissions#60979
Merged
pierrejeambrun merged 1 commit intoapache:mainfrom Jan 23, 2026
Merged
Conversation
pierrejeambrun
requested review from
bugraoz93,
choo121600,
ephraimbuddy,
jason810496,
rawwar and
shubhamraj-git
as code owners
pierrejeambrun
added
the
backport-to-v3-1-test
Backport successfully created: v3-1-test
|
github-actions bot
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
Jan 23, 2026
…run permissions (apache#60979) (cherry picked from commit cb8debb) Co-authored-by: Pierre Jeambrun <pierrejbrun@gmail.com>
suii2210
pushed a commit
to suii2210/airflow
that referenced
this pull request
Jan 26, 2026
shreyas-dev
pushed a commit
to shreyas-dev/airflow
that referenced
this pull request
Jan 29, 2026
jhgoebbert
pushed a commit
to jhgoebbert/airflow_Owen-CH-Leung
that referenced
this pull request
Feb 8, 2026
choo121600
pushed a commit
to choo121600/airflow
that referenced
this pull request
Feb 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The problem:
A user that lacks permissions on 'dag runs' cannot see the list dags in the UI at all.
At first I considered simply filtering the 'recent_dag_runs' in the response based on the
read on DagRunpermissions. So you wouldn't get a 403, but just an empty list of 'recent runs' for each dags returned. Most likely updating thereadable_dag_runs_filterto take into consideration theaccess entity. This propagate down to auth manager implementation since we need to be able to pass AccessEntity toget_authorized_dag_ids. The base implementation is fine, the fab auth manager overriding is a problem. Also this will bring backward compatibility issues (core will try to pass an extra argument to the provider, which can be missing on older version). I dropped this idea.Another option is to simply inline a call in the for loop to filter dag runs based on runs permissions, something like:
But since there are possibly a lot of runs in the
recent_dag_runsobject and this adds multiple db queries (get_team, and then is_authorized_dag), that could possibly explode the number of db request.The approach I opted for is much simpler. This just considers that having "Dag" access on a dag, gives you the permissions to see a 'summary' representation of the recent Runs associated to the Dag. The endpoint returns nested
DAGRunLightResponsewhich is a really light representation of a Run. (Btw it is already king the case because having access to all dags, but only to a particular dag runs will still return the full reponse with all recent runs of all dags, that's because get_authorized_dag_ids don't handle access entity).