potiuk commented on code in PR #34317:
URL: https://github.com/apache/airflow/pull/34317#discussion_r1355923325
##########
airflow/api_connexion/endpoints/task_instance_endpoint.py:
##########
@@ -61,13 +61,8 @@
T = TypeVar("T")
-@security.requires_access(
- [
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
- (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE),
- ],
-)
+@security.requires_access_dag("GET", DagAccessEntity.RUN)
+@security.requires_access_dag("GET", DagAccessEntity.TASK_INSTANCE)
Review Comment:
BTW. This also reflects the change in the new approach of the permission
model after AIP-56 implementation. We are no more "resource" driven. We are
"action" driven. Auth manager should not be checking if you are access to
specrific **resources**, it instead checks if you are allowed to execute
specific **action**.
Rather than enumerating the resources necessary to execute the action, auth
manager simply responds to the question "can this user execute this action?".
For example:
* Is the user able to "modify" this task_instance (and all that it implies)?
* Is the user able to "read" this dag run (and all that it implies)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
