From 1a96407cd2d76616c1137de288f092d4f3b097fa Mon Sep 17 00:00:00 2001 From: Amogh Desai Date: Mon, 19 Feb 2024 16:09:51 +0530 Subject: [PATCH] Revoking audit_log permission from all users except admin (#37501) --------- Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> (cherry picked from commit f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f) --- .../auth/managers/fab/security_manager/override.py | 4 ++-- docs/apache-airflow/security/security_model.rst | 12 +++++++++++- newsfragments/37501.significant.rst | 9 +++++++++ 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 newsfragments/37501.significant.rst diff --git a/airflow/auth/managers/fab/security_manager/override.py b/airflow/auth/managers/fab/security_manager/override.py index 37c07d956b51b..b8562f488abc5 100644 --- a/airflow/auth/managers/fab/security_manager/override.py +++ b/airflow/auth/managers/fab/security_manager/override.py @@ -202,7 +202,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_viewer_perms] VIEWER_PERMISSIONS = [ - (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_DEPENDENCIES), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_CODE), @@ -232,7 +231,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS_MENU), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_JOB), - (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_PLUGIN), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_SLA_MISS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_INSTANCE), @@ -279,6 +277,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [END security_op_perms] ADMIN_PERMISSIONS = [ + (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), + (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_RESCHEDULE), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TRIGGER), diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index 62a614110ba1a..5dd21a31be877 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -106,11 +106,13 @@ sensitive information accessible through connection configuration. They also have the ability to create a Webserver Denial of Service situation and should be trusted not to misuse this capability. +Only admin users have access to audit logs. + Operations users ................ The primary difference between an operator and admin is the ability to manage and grant permissions -to other users - only admins are able to do this. Otherwise assume they have the same access as an admin. +to other users, and access audit logs - only admins are able to do this. Otherwise assume they have the same access as an admin. Connection configuration users .............................. @@ -134,6 +136,14 @@ Regular users They can view and interact with the UI and API. They are able to view and edit DAGs, task instances, and DAG runs, and view task logs. +Viewer users +............ + +They can view information related to DAGs, in a read only fashion, task logs, and other relevant details. +This role is suitable for users who require read-only access without the ability to trigger or modify DAGs. + +Viewers also do not have permission to access audit logs. + For more information on the capabilities of authenticated UI users, see :doc:`/security/access-control`. Capabilities of DAG Authors diff --git a/newsfragments/37501.significant.rst b/newsfragments/37501.significant.rst new file mode 100644 index 0000000000000..0fe82850b3889 --- /dev/null +++ b/newsfragments/37501.significant.rst @@ -0,0 +1,9 @@ +The audit_logs permissions have been updated for heightened security. + +This was done under the policy that we do not want users like Viewer, Ops, +and other users apart from Admin to have access to audit_logs. The intention behind +this change is to restrict users with less permissions from viewing user details +like First Name, Email etc. from the audit_logs when they are not permitted to. + +The impact of this change is that the existing users with non admin rights won't be able +to view or access the audit_logs, both from the Browse tab or from the DAG run.