potiuk opened a new issue, #67461:
URL: https://github.com/apache/airflow/issues/67461
## Background
The public Import Errors API resolves each `ParseImportError` to a set
of `DagModel` rows via `(relative_fileloc, bundle_name)` and applies
per-Dag authorization on the resulting set. There is one case the
current code cannot authorize cleanly: a parse error for a file that
has **no** `DagModel` rows yet — for example, a brand-new file that
failed to parse before any Dag was defined, or a file whose Dags were
all removed.
The single endpoint and the list endpoint currently return the raw
stacktrace in this case. That is the same behavior the endpoints had
before the per-file authorization work landed, and it is what the
follow-up PR restores while a proper design is in place.
## Why a follow-up
Two things make a proper fix non-trivial:
1. **There is no per-file permission today.** Authorization on import
errors is derived from per-Dag read permission, but a file with no
Dag has nothing to derive from. The right answer is a dedicated
"view all import errors" permission rather than overloading the
existing per-Dag check.
2. **Multi-team isolation needs to be respected.** Once such a
permission exists it must be scoped per team (so a team admin sees
import errors for files owned by their team, not other teams). The
per-file ownership signal for unregistered files needs to come from
the bundle / team mapping rather than from `DagModel`.
## Proposed direction
- Introduce a new `AccessView` (working name: `IMPORT_ERRORS_ALL`, or a
resource-action pair on `IMPORT_ERRORS`) that grants visibility to
import errors whose file has no registered Dag.
- Default-grant the new permission to the admin role only.
- Wire the per-file authorization in
`airflow-core/src/airflow/api_fastapi/core_api/routes/public/import_error.py`
so that, when `file_dag_ids` is empty, the response is conditioned on
the caller holding the new permission — returning the raw stacktrace
when they do, redacting (or 403'ing) when they don't.
- For multi-team deployments, scope the new permission per team using
the bundle → team mapping, so a team admin only sees unregistered-file
errors that belong to their team.
- Update the public-API docs and any auth-manager implementations
(FAB, Keycloak, simple) to declare and surface the new permission.
## Acceptance criteria
- New permission exists in `AccessView` and is declared by every
bundled auth manager.
- Default role mappings grant it to admins only.
- Single and list endpoints return the raw stacktrace for files with
no registered Dag **only** when the caller has the permission;
otherwise the file is redacted or hidden, with the team scoping
applied where applicable.
- Tests cover: admin sees the raw error, non-admin does not, team-A
admin does not see team-B unregistered files.
## Related
- Follow-up PR removing the temporary redact-when-no-Dag fallback so
the API behaves the same as before per-file authorization was
introduced for that specific case: (link will be added once PR opens)
---
Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
