vincbeck commented on issue #53936: URL: https://github.com/apache/airflow/issues/53936#issuecomment-3145637598
While working on this issue I am wondering something. Let's take the "list dags" example. When the user lists dags, we check whether the user has permissions to list dags. To do that, we actually check whether the user has access to at least one dag with `auth_manager.get_authorized_dag_ids(user=user, method=method) > 0`. If they do have access to at least one dag, then the list of authorized dags is returned to the user. To return the list of authorized dags to the user, Airflow uses the same function used to figure whether the user had access to list dags: `auth_manager.get_authorized_dag_ids(user=user, method=method)`. I am wondering if it actually makes sense to check whether the user is authorized to list dags because the API returns only the dags the user has access to anyway. What if we remove the authz check on list dags API? The consequence would be, instead of having a 403, the user would get an empty list of DAGs. In a way, in a fined grained access context, it makes mo re sense. Let's say I am user who has access to the Dag `test` only but this Dag does not exist (or has been removed) in the Airflow environment. In the current implementation, if I list Dags, I'll get a 403, but does it make sense? I have permissions to access Dags, I just happen to not have access to Dags existing in the environment. Sorry for this message a bit philosophical. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
