[
https://issues.apache.org/jira/browse/AIRFLOW-4449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876355#comment-16876355
]
Florian SILVA edited comment on AIRFLOW-4449 at 7/1/19 4:56 PM:
----------------------------------------------------------------
Thanks for opening this ticket, this issue is causing trouble on my side too.
A good first workaround would be to add a config entry to choose a default role
from the one created. You would at least choose general and so custom the
permissions afterward.
Let us know if a workaround or fix is set.
Regards
was (Author: yuupiter):
A good first workaround would be toadd a config entry to choose a default role
from the one created. You would at least choose general and so custom the
permissions afterward.
> Default permissions for custom roles
> ------------------------------------
>
> Key: AIRFLOW-4449
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4449
> Project: Apache Airflow
> Issue Type: Bug
> Components: database, webserver
> Reporter: Alec Taggart
> Assignee: Tao Feng
> Priority: Minor
> Attachments: Custom role post default addition.png, Custom role pre
> default addition.png
>
>
> By default, there are 4 core airflow user roles. These roles are well made
> and perform nicely. However, adding new custom roles seems to (by default)
> apply all "User" permissions to the new custom role. I attached some
> screen-shots showing custom roles being changed by the web server to include
> default "User" permissions. This is an issue as it prevents strict control of
> specific pipelines. At most, default permissions applied to custom roles
> should only include viewing privileges. This way the system admins can add
> read/edit/pause/etc. permissions for specific dags.
>
> I suggest changing the default permissions that are applied to all custom
> roles to a list of permissions similar to the "Viewer" role OR simply do not
> apply default permissions to custom roles and let admins handle assigning
> permissions or multiple custom roles to users. The latter is definitely the
> preferred functionality.
> Please note I am not suggesting a removal on the four base roles that come
> with airflow, simply different behavior when creating new roles.
> Below is a list of changed permissions to apply to custom roles if it is
> decided this is the best approach. (very similar to "Viewer" role)
> [can tries on Airflow, can graph on Airflow, can task on Airflow, can code on
> Airflow, can duration on Airflow, can landing times on Airflow, can pickle
> info on Airflow, can tree on Airflow, can rendered on Airflow, can gantt on
> Airflow, can blocked on Airflow, can task instances on Airflow, can log on
> Airflow, can index on Airflow, can dag stats on Airflow, can get logs with
> metadata on Airflow, can task stats on Airflow, can dag details on Airflow,
> can list on DagModelView, can show on DagModelView, can version on
> VersionView, can list on DagRunModelView, menu access on DAG Runs, menu
> access on Browse, can list on JobModelView, menu access on Jobs, can list on
> LogModelView, menu access on Logs, can list on SlaMissModelView, menu access
> on SLA Misses, can list on TaskInstanceModelView, menu access on Task
> Instances, menu access on Documentation, menu access on Docs, menu access on
> Version, menu access on About]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
