potiuk commented on code in PR #34317:
URL: https://github.com/apache/airflow/pull/34317#discussion_r1355907009
##########
airflow/api_connexion/endpoints/task_instance_endpoint.py:
##########
@@ -527,13 +497,8 @@ def post_clear_task_instances(*, dag_id: str, session:
Session = NEW_SESSION) ->
)
-@security.requires_access(
- [
- (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG),
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
- (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE),
- ],
-)
+@security.requires_access_dag("GET", DagAccessEntity.RUN)
+@security.requires_access_dag("PUT", DagAccessEntity.TASK_INSTANCE)
Review Comment:
This is also wrong. I personally think the case where you can "read" dag_run
but "update" TASK_INSTANCE is unrealistic and actually wrong.
When you look deeply into set_task_instance_state you will find out that in
some cases it can lead to creating dag_runs (for subtasks).
```
set_state -> _iter_subdag_run_ids
```
from `_iter_subdag_run_ids`
```python
if isinstance(current_task, SubDagOperator) or
current_task.task_type == "SubDagOperator":
# this works as a kind of integrity check
# it creates missing dag runs for subdag operators,
# maybe this should be moved to dagrun.verify_integrity
dag_runs = _create_dagruns(
current_task.subdag,
infos=confirmed_infos,
state=DagRunState.RUNNING,
run_type=DagRunType.BACKFILL_JOB,
)
verify_dagruns(dag_runs, commit, state, session,
current_task)
dags.append(current_task.subdag)
yield current_task.subdag.dag_id
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
