Sync DAG specific permissions when parsing #15311
Conversation
jedcunningham
requested review from
XD-DENG,
ashb,
kaxil and
turbaszek
as code owners
airflow/models/serialized_dag.py
Outdated
There was a problem hiding this comment.
@jhtimmins, curious is you know a better way or trick to using the security manager somewhere where we don't want/need the whole flask app?
There was a problem hiding this comment.
@jedcunningham Oof I need to think about this, because generally speaking we really don't want to extend the webserver-level controls into Airflow core.
jedcunningham
force-pushed
the
perm_sync_on_parse
branch
from
ec91f3c to
4f9914a
Compare
airflow/models/serialized_dag.py
Outdated
There was a problem hiding this comment.
Ok, after thinking more about this, I don't think we should be extending the security manager into the /airflow/models directory. I'd much rather create a sync-permissions API endpoint if one doesn't exist, and hitting that from the CLI via a separate HTTP request.
jedcunningham
force-pushed
the
perm_sync_on_parse
branch
from
b35d4ea to
e4cb59c
Compare
kaxil
changed the title
This POC allows the DAG specific permissions to be created/updated during DAG parsing, instead of during webserver start or cli `sync-perm`. With a large number of DAGs, walking through them all to do DAG specific permissions isn't exactly fast and they can only change during the scheduler parsing anyways. Overall more efficient as we don't need to check every DAG as well, we only need to check a given DAG when it changes. This also fixed a bug where the default webserver DAG specific syncing didn't handle `access_control`. Closes apache#8609 (cherry picked from commit d52ad87)
|
which airflow version has this fixed change? |
|
2.1.0: Line 100 in e3f5eb9 |
Thanks for quick reply. I am using composer-1.16.7-airflow-1.10.15 (Google Composer), and unfortunately composer don't have this airflow version available yet to upgrade to. So is there any alternative other than admin clicking on refresh to update permissions as I want to automate solution, |
|
I believe running airflow sync-perm should do it as well. |
|
No sync_perm is not working as expected. Its not updating roles permission as per DAG access control. |
|
Interesting, the code looks like it should do it 🤷♂️. Sorry, I'm not sure. Lines 2075 to 2080 in 5786dcd |
I was able to solve issue by updating store_serialized_dags = False in airflow config. Thanks for your pointer |
|
If something is not working in Composer that is fixed in open source Airflow then you should raise that issue with Composer support. |
|
@chodankarcc I also facing the same issue. then already updating store_serialized_dags = False . but I have new issue, the dag that I set running sequentially running not in order, the dag running from middle dag I think its bug ui, when I updating store_serialized_dags = True its working normally . Have you facing the same problem ? I also using composer. |
6 participants
This POC allows the DAG specific permissions to be created/updated during DAG parsing, instead of during webserver start or cli sync-perm.
With a large number of DAGs, walking through them all to do DAG specific permissions isn't exactly fast and they can only change during the scheduler parsing anyways. Overall more efficient as we don't need to check every DAG as well, we only need to check a given DAG when it changes.
This also fixed a bug where the default webserver DAG specific syncing didn't handle
access_control.Closes #8609