Skip to content

Comments

Fix ui get dags permission endpoint for user without dag run permissions#60979

Merged
pierrejeambrun merged 1 commit intoapache:mainfrom
astronomer:fix-ui-get-dags-permissions
Jan 23, 2026
Merged

Fix ui get dags permission endpoint for user without dag run permissions#60979
pierrejeambrun merged 1 commit intoapache:mainfrom
astronomer:fix-ui-get-dags-permissions

Conversation

@pierrejeambrun
Copy link
Member

@pierrejeambrun pierrejeambrun commented Jan 23, 2026

The problem:
A user that lacks permissions on 'dag runs' cannot see the list dags in the UI at all.

At first I considered simply filtering the 'recent_dag_runs' in the response based on the read on DagRun permissions. So you wouldn't get a 403, but just an empty list of 'recent runs' for each dags returned. Most likely updating the readable_dag_runs_filter to take into consideration the access entity. This propagate down to auth manager implementation since we need to be able to pass AccessEntity to get_authorized_dag_ids. The base implementation is fine, the fab auth manager overriding is a problem. Also this will bring backward compatibility issues (core will try to pass an extra argument to the provider, which can be missing on older version). I dropped this idea.

Another option is to simply inline a call in the for loop to filter dag runs based on runs permissions, something like:

    for row in recent_dag_runs:
        is_authorized_runs = get_auth_manager().is_authorized_dag(
            method="GET",
            access_entity=DagAccessEntity.RUN,
            details=DagDetails(id=dag_id, team_name=DagModel.get_team_name(row.dag_id, session=session)),
            user=user,
        )
        
        if not is_authorized_runs:
            continue

But since there are possibly a lot of runs in the recent_dag_runs object and this adds multiple db queries (get_team, and then is_authorized_dag), that could possibly explode the number of db request.

The approach I opted for is much simpler. This just considers that having "Dag" access on a dag, gives you the permissions to see a 'summary' representation of the recent Runs associated to the Dag. The endpoint returns nested DAGRunLightResponse which is a really light representation of a Run. (Btw it is already king the case because having access to all dags, but only to a particular dag runs will still return the full reponse with all recent runs of all dags, that's because get_authorized_dag_ids don't handle access entity).

Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

@pierrejeambrun pierrejeambrun merged commit cb8debb into apache:main Jan 23, 2026
128 checks passed
@pierrejeambrun pierrejeambrun deleted the fix-ui-get-dags-permissions branch January 23, 2026 17:13
@pierrejeambrun pierrejeambrun added the backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch label Jan 23, 2026
@pierrejeambrun pierrejeambrun added this to the Airflow 3.1.7 milestone Jan 23, 2026
github-actions bot pushed a commit that referenced this pull request Jan 23, 2026
…run permissions (#60979)

(cherry picked from commit cb8debb)

Co-authored-by: Pierre Jeambrun <pierrejbrun@gmail.com>
@github-actions
Copy link

Backport successfully created: v3-1-test

Status Branch Result
v3-1-test PR Link

github-actions bot pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Jan 23, 2026
…run permissions (apache#60979)

(cherry picked from commit cb8debb)

Co-authored-by: Pierre Jeambrun <pierrejbrun@gmail.com>
jason810496 pushed a commit that referenced this pull request Jan 25, 2026
…run permissions (#60979) (#60988)

(cherry picked from commit cb8debb)

Co-authored-by: Pierre Jeambrun <pierrejbrun@gmail.com>
suii2210 pushed a commit to suii2210/airflow that referenced this pull request Jan 26, 2026
shreyas-dev pushed a commit to shreyas-dev/airflow that referenced this pull request Jan 29, 2026
jhgoebbert pushed a commit to jhgoebbert/airflow_Owen-CH-Leung that referenced this pull request Feb 8, 2026
choo121600 pushed a commit to choo121600/airflow that referenced this pull request Feb 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:API Airflow's REST/HTTP API backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants