-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoking audit_log permission from all users except admin #37501
Conversation
The UI elements dont render for audit_logs: If I try to access audit logs from the DAG run details: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with you that only admin (and custom roles) should have these permissions, but I don't know if we can consider this a bug fix, because otherwise it will be considered a breaking change. (not a big problem anymore after creating fab provider)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGMT. Few nits that should be resolved.
Yes. Bug-fix. It should not be there in the first place IMHO. |
But also we should add a .significant entry in newsfragments about it @amoghrajesh |
yeah it's a bit tricky? |
Not tricky. We agreed with @vincbeck that when we cherry-pick FAB things for 2.8.0, we will cherry-pick them to core - moving the changes back where they were in before 2.9, so once we cherry-pick this one with a newsfragment, it will nicely go into 2.8.2 (or 2.8.3 whatever it will be released in) |
Not sure that I get that? |
No. This issue can be cherry-picked to 2.8.2 to the place where Fab was previously. We've already done that |
When we separated FAB provider right after we created 2.8.0 - this was what we agreed to with @vincbeck - that security related and small fixeds will be cherry picked to 2.8.* airflow core |
Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com>
Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com>
Thanks for the reviews! @potiuk / @eladkal pushed a newsfragment @jedcunningham nits handled |
@potiuk do I have to do anything with respect to cherry picking to earlier branches? |
Thanks for the offer :). We'll handle it. Usually cherry-picking is done by release managers and those who directly help them and are familiar with the process - becuase this is rather delicate process and there are a number of decisions to made on the spot (currently those people are @ephraimbuddy @jedcunningham @eladkal and myself mostly. So doing it just for one PR introduces potential more issues than it solves. But if at some point in time you would like to join the release team and cherry-pick next changes (after seeing how it's done - absolutely :D . Just look what's dicussed in |
Thank you, i was aware of the people who do it, and slightly about the process too, thanks for clarifying. I was curious if anything special was needed because this is a different kind of fix. Got it cleared now, thanks |
--------- Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> (cherry picked from commit f2ea8a3)
The test for security/permissions had not been run after modifying default permissions in apache#37501 (to be investigated why). This PR makes main green again.
The test for security/permissions had not been run after modifying default permissions in #37501 (to be investigated why). This PR makes main green again.
Yet another test was failing after changing audit log permissions in apache#37501
Yet another test was failing after changing audit log permissions in #37501
The test for security/permissions had not been run after modifying default permissions in #37501 (to be investigated why). This PR makes main green again.
Yet another test was failing after changing audit log permissions in #37501
--------- Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> (cherry picked from commit f2ea8a3)
The test for security/permissions had not been run after modifying default permissions in #37501 (to be investigated why). This PR makes main green again.
Yet another test was failing after changing audit log permissions in #37501
The viewer role and any other users apart from admin don't need to have audit_log permissions. Revoking it.
Alternatively, I moved the revoked permissions to ADMIN_PERMISSIONS.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rst
or{issue_number}.significant.rst
, in newsfragments.