Could not get DAG access permission after upgrade to 2.3.0

[leehuwuj]

Apache Airflow version

2.3.0 (latest released)

What happened

I upgraded my airflow instance from version 2.1.3 to 2.3.0 but got issue that there are no permission for new DAGs.
The issue only happens in DAG which has dag_id contains dot symbol.

What you think should happen instead

There should be 3 new permissions for a DAG.

How to reproduce

• Create a new DAG with id, lets say: dag.id_1
• Go to the UI -> Security -> List Role
• Edit any Role
• Try to insert permissions of new DAG above to chosen role.
  -> Could not get any permission for created DAG above.
  There are 3 DAG permissions named can_read_DAG:dag, can_edit_DAG:dag, can_delete_DAG:dag
  There should be 3 new permissions: can_read_DAG:dag.id_1, can_edit_DAG:dag.id_1, can_delete_DAG:dag.id_1

Operating System

Kubernetes

Versions of Apache Airflow Providers

No response

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[ashb]

. in DAG id I thought was reserved for subdags -- is this a subdag or a normal dag with a dot in the id?

[leehuwuj]

. in DAG id I thought was reserved for subdags -- is this a subdag or a normal dag with a dot in the id?

It just a normal dag with dot in the id. Since all dags in my airflow instance are all followed by this convention: team_name.dag_name
Example:
de.daily_ingest_pipeline
ds.daily_training_pipeline

[ashb]

Gotcha.

How are you trying to insert the roles/permissions?

[leehuwuj]

How are you trying to insert the roles/permissions?

Actually, I wrote a trigger script at database level which assigns DAG permissions for target role based on team_name pattern in DAG id that i mentioned above. Of course my scripts could not works since there is no new DAG id followed by that convention in ab_view_menu table.
And i also can not do it in UI as mentioned in the issue description.

By the way, i also added a pattern to the issue that there's DAG permissions which have wrong dag_id in theirs name. Please check again. I think Airflow tried to create dag permission but got issue with dot symbol in dag_id.

[ashb]

It would have the same problem with dots, but rather than a database level trigger you could use the access_control field of the DAG set automatically via a https://airflow.apache.org/docs/apache-airflow/stable/concepts/cluster-policies.html