Failed to manage per-DAG permission in clearing DAG run

[twang90]

Apache Airflow version

Other Airflow 2 version

What happened

I am using Airflow 2.2.4 and I am trying to achieve per-DAG permissions. I want to give a role permissions to clear some DAG's status on the UI (so that they can re-run a task). According to https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-role, "Clear DAG run" requires "DAGs.can_edit, Task Instances.can_delete", but when I gave the role permissions to can edit on DAG:xxx, can delete on Task Instances, it can clear DAG runs on all DAGs. I am wondering if it's a bug, or if there is some other ways to achieve this. Thanks!

What you think should happen instead

When I gave the role permissions to can edit on DAG:xxx, can delete on Task Instances, the role can clear the task status on DAG xxx, but it can't clear status on any other DAGs.

How to reproduce

On an existing Airflow service,

1. Use an account with Admin role, create a new role, e.g. TestClearRole
2. Pick a DAG, e.g. DagToTest; assume it has other DAGs, e.g. DagWithoutPermission.
3. Add TestClearRole with permissions, can edit on DAG:DagToTest, can delete on Task Instances
4. Using an account with TestClearRole role, clear the status of one task in DagWithoutPermission. The user should have permissions to clear its status. But I think the right behavior should be the user can not.

Operating System

Airflow UI

Versions of Apache Airflow Providers

No response

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[potiuk]

Feel free to take a look and see you can provide a PR

[twang90]

#16634 seemed to have fixed this problem but I observed a different behavior. I am not sure if I understand the documentation correctly. I am not very familiar with the Airflow code, so not sure if I can fix it or not.

[Jorricks]

Are you sure that the user you are mentioning in your example only has TestClearRole? It's relatively easy to get lost in this but if your user has multiple roles, it's probably the other roles that give him access to clear it.

For reference: we are on 2.2.3 and it works like a charm. We are managing around 200 users without any issuee

[twang90]

Thanks for the reply. The user has TestClearRole and Viewer role, so I think Viewer should not give them access to clear other DAGs. Not sure what's going on...