The role role probably shouldn't have menu access to Plugins #39218
Comments
RocFang
added
area:core
kind:bug
|
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval. |
|
related : #39135 ? |
Should not related with this one. In https://airflow.apache.org/docs/apache-airflow/2.8.4/security/access-control.html#default-roles , it clearly documented that the viewer have access to menu Plugin:
Here i use the link of 2.8.4 because this page not available for 2.9.0 |
The doc links are now a bit wrong but will be fixed in 2.9.1 - and should point to FAB provider where the default roles/permissions are defined. I think whether Viewer should have access to Plugins (read) by default is a good question. I don't think there is any harm in it. We are going to add a bit more documentation on that soon - where we clearly state that that there is NO 100% consistency between "menu" access and "thing" access, and sometimes even some permission when indivudually granted might grant more than is "obvious" and when users decide to deviate from regular defined roles, they shoudl carefully review if the permissions they chose individually are right. And not all combinations of permissions make sense. For example if we take away "plugin" menu access for a viewer but then someone individually gives the "Admin" right to it - does it make sense to have empty admin menu? No. And there is no good "logic" we should follow here. The "menu" access is a general access to see menu. So this is not really a "permission" - this is more "visibility". But the "thing the menu points at" is a different permission - and sometimes you should be able to see particular thing when directly directed to it via URL, but still seeing the menu is not obvious. Or the other way. But yes in this case - plugin menu access for viewer makes no sense at all and we should remove it. |
|
@potiuk Greate expanatation, thank you! |
potiuk
added
good first issue
and removed
needs-triage
|
Added a good first issue label if someone would like to tackle this |
|
I can take it |
Apache Airflow version
2.9.0
If "Other Airflow 2 version" selected, which one?
No response
What happened?
The Viewer role does not have access to the Admin menu, which is correct, but it does have menu access to Plugins, which is a submenu of Admin. Is this setting unreasonable?
This is just a small problem because normally because viwer does not have admin's menu access, even if it has Plugins' menu access, it cannot see the Plugins menu on the UI.
But when we want to give it access rights to a specific submenu of the admin menu, we will find that the Plugins menu also appears. This is an unexpected performance.
What you think should happen instead?
The viewer role should not have menu access to Plugins.
How to reproduce
Give the viewer role access rights to the admin menu, and you will find that the plugins menu rights are also available.
Operating System
Red Hat Ennterprise Linux Server 7.9
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: