Airflow DAG access control permissions are not working

[aporwal17]

Apache Airflow Provider(s)

fab

Versions of Apache Airflow Providers

apache-airflow-providers-common-compat==1.1.0
apache-airflow-providers-common-io==1.4.0
apache-airflow-providers-common-sql==1.15.0
apache-airflow-providers-fab==1.2.2
apache-airflow-providers-ftp==3.10.1
apache-airflow-providers-http==4.12.0
apache-airflow-providers-imap==3.6.1
apache-airflow-providers-smtp==1.7.1
apache-airflow-providers-sqlite==3.8.2```

### Apache Airflow version

2.10.0

### Operating System

PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy

### Deployment

Virtualenv installation

### Deployment details

_No response_

### What happened

The Airflow DAG level permission module is having an issue when we specify permission inside the individual DAG.

```Traceback (most recent call last):
  File "/data/airflow/bin/airflow", line 8, in <module>
    sys.exit(main())
  File "/data/airflow/lib/python3.10/site-packages/airflow/__main__.py", line 62, in main
    args.func(args)
  File "/data/airflow/lib/python3.10/site-packages/airflow/cli/cli_config.py", line 49, in command
    return func(*args, **kwargs)
  File "/data/airflow/lib/python3.10/site-packages/airflow/utils/cli.py", line 115, in wrapper
    return f(*args, **kwargs)
  File "/data/airflow/lib/python3.10/site-packages/airflow/utils/providers_configuration_loader.py", line 55, in wrapped_function
    return func(*args, **kwargs)
  File "/data/airflow/lib/python3.10/site-packages/airflow/providers/fab/auth_manager/cli_commands/sync_perm_command.py", line 39, in sync_perm
    appbuilder.sm.create_dag_specific_permissions()
  File "/data/airflow/lib/python3.10/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 1076, in create_dag_specific_permissions
    self.sync_perm_for_dag(dag_resource_name, dag.access_control)
  File "/data/airflow/lib/python3.10/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 1119, in sync_perm_for_dag
    self._sync_dag_view_permissions(dag_resource_name, access_control)
  File "/data/airflow/lib/python3.10/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 1174, in _sync_dag_view_permissions
    raise AirflowException(
airflow.exceptions.AirflowException: The access_control map for DAG 'DAG:example_dag_1' includes the following invalid permissions: {'DAGs'}; The set of valid permissions is: {'can_edit', 'can_read', 'can_delete'}```

/data/airflow/lib/python3.10/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py 
```invalid_action_names = action_names - self.DAG_ACTIONS
            if invalid_action_names:
                raise AirflowException(
                    f"The access_control map for DAG '{dag_resource_name}' includes "
                    f"the following invalid permissions: {invalid_action_names}; "
                    f"The set of valid permissions is: {self.DAG_ACTIONS}"
                )

it is returning invalid_action_names all the time because of unexpected json.
{'DAGs': {'can_edit', 'can_read', 'can_delete'}}
it should have only {'can_edit', 'can_read', 'can_delete'}

What you think should happen instead

if isinstance(perms, (set, list)):
    # Support for old-style access_control where only the actions are specified
    updated_access_control[role][permissions.RESOURCE_DAG] = set(perms)
else:
    updated_access_control[role] = perms

This code is having issue.

How to reproduce

1. Just installed 2.10.0 version.
2. Create one empty role named - readonly
3. Create one DAG with below access control

from airflow import DAG
from airflow.operators.dummy_operator import DummyOperator
from datetime import datetime

default_args = {
    'owner': 'airflow',
    'start_date': datetime(2024, 8, 1),
}

dag = DAG(
    'example_dag_1',
    default_args=default_args,
    schedule_interval='@daily',    
    access_control={ 'readonly': {'can_read', 'can_edit', 'can_delete'} },
)

t1 = DummyOperator(
    task_id='dummy_task',
    dag=dag
)

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[joaopamaral]

Hi @aporwal17, the fix for this issue in FAB versions < 1.3.0 is already merged and will be available in version 2.10.1 #41549.

And FAB version 1.3.0 is already released (this version doesn't need the fix).

[aporwal17]

@joaopamaral : Thanks for the update.

[eladkal]

closing as fixed