[ https://issues.apache.org/jira/browse/AIRFLOW-4449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876355#comment-16876355 ]
Florian SILVA edited comment on AIRFLOW-4449 at 7/1/19 4:56 PM: ---------------------------------------------------------------- Thanks for opening this ticket, this issue is causing trouble on my side too. A good first workaround would be to add a config entry to choose a default role from the one created. You would at least choose general and so custom the permissions afterward. Let us know if a workaround or fix is set. Regards was (Author: yuupiter): A good first workaround would be toadd a config entry to choose a default role from the one created. You would at least choose general and so custom the permissions afterward. > Default permissions for custom roles > ------------------------------------ > > Key: AIRFLOW-4449 > URL: https://issues.apache.org/jira/browse/AIRFLOW-4449 > Project: Apache Airflow > Issue Type: Bug > Components: database, webserver > Reporter: Alec Taggart > Assignee: Tao Feng > Priority: Minor > Attachments: Custom role post default addition.png, Custom role pre > default addition.png > > > By default, there are 4 core airflow user roles. These roles are well made > and perform nicely. However, adding new custom roles seems to (by default) > apply all "User" permissions to the new custom role. I attached some > screen-shots showing custom roles being changed by the web server to include > default "User" permissions. This is an issue as it prevents strict control of > specific pipelines. At most, default permissions applied to custom roles > should only include viewing privileges. This way the system admins can add > read/edit/pause/etc. permissions for specific dags. > > I suggest changing the default permissions that are applied to all custom > roles to a list of permissions similar to the "Viewer" role OR simply do not > apply default permissions to custom roles and let admins handle assigning > permissions or multiple custom roles to users. The latter is definitely the > preferred functionality. > Please note I am not suggesting a removal on the four base roles that come > with airflow, simply different behavior when creating new roles. > Below is a list of changed permissions to apply to custom roles if it is > decided this is the best approach. (very similar to "Viewer" role) > [can tries on Airflow, can graph on Airflow, can task on Airflow, can code on > Airflow, can duration on Airflow, can landing times on Airflow, can pickle > info on Airflow, can tree on Airflow, can rendered on Airflow, can gantt on > Airflow, can blocked on Airflow, can task instances on Airflow, can log on > Airflow, can index on Airflow, can dag stats on Airflow, can get logs with > metadata on Airflow, can task stats on Airflow, can dag details on Airflow, > can list on DagModelView, can show on DagModelView, can version on > VersionView, can list on DagRunModelView, menu access on DAG Runs, menu > access on Browse, can list on JobModelView, menu access on Jobs, can list on > LogModelView, menu access on Logs, can list on SlaMissModelView, menu access > on SLA Misses, can list on TaskInstanceModelView, menu access on Task > Instances, menu access on Documentation, menu access on Docs, menu access on > Version, menu access on About] > -- This message was sent by Atlassian JIRA (v7.6.3#76005)