potiuk commented on code in PR #34317: URL: https://github.com/apache/airflow/pull/34317#discussion_r1355923325
########## airflow/api_connexion/endpoints/task_instance_endpoint.py: ########## @@ -61,13 +61,8 @@ T = TypeVar("T") -@security.requires_access( - [ - (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), - (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN), - (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE), - ], -) +@security.requires_access_dag("GET", DagAccessEntity.RUN) +@security.requires_access_dag("GET", DagAccessEntity.TASK_INSTANCE) Review Comment: BTW. This also reflects the change in the new approach of the permission model after AIP-56 implementation. We are no more "resource" driven. We are "action" driven. Auth manager should not be checking if you are access to specrific **resources**, it instead checks if you are allowed to execute specific **action**. Rather than enumerating the resources necessary to execute the action, auth manager simply responds to the question "can this user execute this action?". For example: * Is the user able to "modify" this task_instance (and all that it implies)? * Is the user able to "read" this dag run (and all that it implies)? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org