darshil929 commented on PR #69175: URL: https://github.com/apache/airflow/pull/69175#issuecomment-4846788561
Yeah, that's fair, and I think you're right about the consumer side. If you schedule a Dag on an asset, you're basically signing up to be triggered whenever that asset updates, so having the consumer's access_control override that doesn't really make sense. Where I was coming from is more the producer side. Normally, to emit one of these events you'd have to run a producing Dag, which means you need permission on that Dag. The API lets anyone with the global "create on Assets" permission emit the event directly and skip that, and that's the part that felt off to me. It did come up earlier in the thread as something POST should check (https://github.com/apache/airflow/issues/42846#issuecomment-3489814766), so there might be a couple of different views on this. Happy to go with whatever you all land on. If the producer side seems worth tightening, I can trim the PR down to just that check and drop the consumer part. And if you'd rather call the whole thing working as intended, I'm fine closing it out. Just let me know which way you'd prefer. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
