Require can_edit on DAG privileges to modify TaskInstances and DagRuns

[Jorricks]

All permissions for modifying Task Instances or modifying Dag Runs as of today require dag_read permissions on the DAG and the corresponding action permission.
A full overview is shown at the Access Control page of Airflow

It feels to me as in that case the whole dag_edit base_permission is undervalued in this case and the dag_view base_permission gives too much actual permissions.

Imagine the following setup:

• Everyone is able to see each others DAGs
• Some people should be able to modify their own DAGs
• They should not be able to modify their neighbours DAGs

This setup is currently not supported.
As a work around, on my work setup I currently implemented a SQLAlchemy listener to block update operations on TaskInstances where a user doesn't have can_edit privilege on this specific DAG.
Therefore this PR changes the following items(copied from the link above) to require DAGS.can_edit where it currently says DAGS.can_read privileges.

Currently:

Action	Permissions	Minimum Role
Clear DAG	DAGs.can_read, Task Instances.can_delete	User
Clear DAG Run	DAGs.can_read, Task Instances.can_delete	User
Mark DAG as blocked	Dags.can_read, DAG Runs.can_read	User
Mark DAG Run as failed	Dags.can_read, DAG Runs.can_edit	User
Mark DAG Run as success	Dags.can_read, DAG Runs.can_edit	User
Clear Task Instance	DAGs.can_read, DAG Runs.can_read, Task Instances.can_edit	User
Triggers Task Instance	DAGs.can_read, Task Instances.can_create	User
Mark Task as failed	DAGs.can_read, Task Instances.can_edit	User
Mark Task as success	DAGs.can_read, Task Instances.can_edit	User

Updated:

Action	Permissions	Minimum Role
Clear DAG	DAGs.can_edit, Task Instances.can_delete	User
Clear DAG Run	DAGs.can_edit, Task Instances.can_delete	User
Mark DAG as blocked	Dags.can_edit, DAG Runs.can_read	User
Mark DAG Run as failed	Dags.can_edit, DAG Runs.can_edit	User
Mark DAG Run as success	Dags.can_edit, DAG Runs.can_edit	User
Clear Task Instance	DAGs.can_edit, Task Instances.can_edit	User
Triggers Task Instance	DAGs.can_edit, Task Instances.can_create	User
Mark Task as failed	DAGs.can_edit, Task Instances.can_edit	User
Mark Task as success	DAGs.can_edit, Task Instances.can_edit	User

If there is interest in merging this PR, I will also make a corresponding PR on the docs side to update the page.

[ashb]

• Everyone is able to see each others DAGs
• Some people should be able to modify their own DAGs
• They should not be able to modify their neighbours DAGs

Oh yes, this should totally be supported.

[ashb]

At the very least this is going to need some tests to ensure that the behaviour you describe works, and continues to work :)

[uranusjr]

It feels weird to me actions that operate on DagRun and TaskInstance need edit permission on the DAG, since they don’t change things in it.

[ashb]

It feels weird to me actions that operate on DagRun and TaskInstance need edit permission on the DAG, since they don’t change things in it.

I agree, which is why it probably doesn't have it right now, but the only way to express "you have edit on Dag X, but not Dag Y" and have that apply to TaskInstances/DagRuns that I can think of would be a change like this

[Jorricks]

At the very least this is going to need some tests to ensure that the behaviour you describe works, and continues to work :)

It already has quite some tests in there.
But I will create extra tests to show that the standard can_read permissions now fails.

[Jorricks]

I updated the PR today (26 June) with the following:

1. Inside the views, we already had the DagEditFilter. However, FlaskAppbuilder doesn't do the extra checks to verify that the items you are modifying/adding/deleting are inside the BaseFilter. Therefore, I created another abstraction for the view which checks for add/update/delete options that the user has can_edit access on the DAG the item he is accessing belongs to. If there was someone who still tried to cheat by changing primary keys in the front end with an HTML editor (add/update/delete a DAG he doesn't have edit access on), he will get an error message :)
2. For the actions, it is the same thing. However, there is no way within Flask Appbuilder to check the items you are working with before entering the function (without using wrapper). Hence, of course I created wrapper. For all items provided/selected, it checks that the user had can_edit access on the DAG it is a part of.
3. I implemented tests. For both DagRun and TaskInstance I created tests for deleting. For DagRun also for adding. Furthermore I also created the tests for all actions of both views to verify the behaviour of the actions.

[Jorricks]

Rebased PR to latest main and squashed commits.

[Jorricks]

Rebased PR to latest main again.
Does anyone have any tips on how I can give this PR to have more exposure :)?

[kaxil]

cc @jhtimmins Can you take a look at this please

[Jorricks]

Given the SQLite CI/CD pipeline was successful, I think it's safe to say I fixed the tests that were failing.
The rest of the failed pipelines I can't find an error message related to my changes.

[twang90]

@Jorricks Thanks for putting together this PR. Just want to make sure I understand it correctly. With your PR merged, do I expect users without dag edit permission but with task instance delete permission can not delete a task instance, right? i.e. the behavior matches the documentation? Do I need any workaround like the SQLAlchemy listener you mentioned in the original post? Thanks!

[Jorricks]

Hi @twang90,

First of all, this has been merged a long time ago just before 2.1.0 if I remember correctly.
Furthermore, your assumption is correct and you will not need the sqlalchemy listener either because that behavior is now inside the UI already.