Skip to content

Commit

Permalink
Revoking audit_log permission from all users except admin (#37501)
Browse files Browse the repository at this point in the history
---------

Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com>
(cherry picked from commit f2ea8a3)
  • Loading branch information
amoghrajesh authored and ephraimbuddy committed Feb 22, 2024
1 parent b889c0f commit 8324c87
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 3 deletions.
4 changes: 2 additions & 2 deletions airflow/auth/managers/fab/security_manager/override.py
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):

# [START security_viewer_perms]
VIEWER_PERMISSIONS = [
(permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_DEPENDENCIES),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_CODE),
Expand Down Expand Up @@ -232,7 +231,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS_MENU),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_JOB),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_PLUGIN),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_SLA_MISS),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_INSTANCE),
Expand Down Expand Up @@ -279,6 +277,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
# [END security_op_perms]

ADMIN_PERMISSIONS = [
(permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE),
(permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_RESCHEDULE),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TRIGGER),
Expand Down
12 changes: 11 additions & 1 deletion docs/apache-airflow/security/security_model.rst
Original file line number Diff line number Diff line change
Expand Up @@ -106,11 +106,13 @@ sensitive information accessible through connection configuration.
They also have the ability to create a Webserver Denial of Service
situation and should be trusted not to misuse this capability.

Only admin users have access to audit logs.

Operations users
................

The primary difference between an operator and admin is the ability to manage and grant permissions
to other users - only admins are able to do this. Otherwise assume they have the same access as an admin.
to other users, and access audit logs - only admins are able to do this. Otherwise assume they have the same access as an admin.

Connection configuration users
..............................
Expand All @@ -134,6 +136,14 @@ Regular users
They can view and interact with the UI and API. They are able to view and edit DAGs,
task instances, and DAG runs, and view task logs.

Viewer users
............

They can view information related to DAGs, in a read only fashion, task logs, and other relevant details.
This role is suitable for users who require read-only access without the ability to trigger or modify DAGs.

Viewers also do not have permission to access audit logs.

For more information on the capabilities of authenticated UI users, see :doc:`/security/access-control`.

Capabilities of DAG Authors
Expand Down
9 changes: 9 additions & 0 deletions newsfragments/37501.significant.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
The audit_logs permissions have been updated for heightened security.

This was done under the policy that we do not want users like Viewer, Ops,
and other users apart from Admin to have access to audit_logs. The intention behind
this change is to restrict users with less permissions from viewing user details
like First Name, Email etc. from the audit_logs when they are not permitted to.

The impact of this change is that the existing users with non admin rights won't be able
to view or access the audit_logs, both from the Browse tab or from the DAG run.

0 comments on commit 8324c87

Please sign in to comment.