Revoking audit_log permission from all users except admin#37501
Conversation
|
The UI elements dont render for audit_logs: Forbidden /api/v1/eventLogs: If I try to access audit logs from the DAG run details: |
amoghrajesh
changed the title
hussein-awala
left a comment
hussein-awala
left a comment
There was a problem hiding this comment.
I agree with you that only admin (and custom roles) should have these permissions, but I don't know if we can consider this a bug fix, because otherwise it will be considered a breaking change. (not a big problem anymore after creating fab provider)
potiuk
left a comment
potiuk
left a comment
There was a problem hiding this comment.
LGMT. Few nits that should be resolved.
Yes. Bug-fix. It should not be there in the first place IMHO. |
|
But also we should add a .significant entry in newsfragments about it @amoghrajesh |
yeah it's a bit tricky? |
|
Not tricky. We agreed with @vincbeck that when we cherry-pick FAB things for 2.8.0, we will cherry-pick them to core - moving the changes back where they were in before 2.9, so once we cherry-pick this one with a newsfragment, it will nicely go into 2.8.2 (or 2.8.3 whatever it will be released in) |
Not sure that I get that? |
|
No. This issue can be cherry-picked to 2.8.2 to the place where Fab was previously. We've already done that |
|
When we separated FAB provider right after we created 2.8.0 - this was what we agreed to with @vincbeck - that security related and small fixeds will be cherry picked to 2.8.* airflow core |
Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com>
Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com>
|
Thanks for the reviews! @potiuk / @eladkal pushed a newsfragment @jedcunningham nits handled |
|
@potiuk do I have to do anything with respect to cherry picking to earlier branches? |
Thanks for the offer :). We'll handle it. Usually cherry-picking is done by release managers and those who directly help them and are familiar with the process - becuase this is rather delicate process and there are a number of decisions to made on the spot (currently those people are @ephraimbuddy @jedcunningham @eladkal and myself mostly. So doing it just for one PR introduces potential more issues than it solves. But if at some point in time you would like to join the release team and cherry-pick next changes (after seeing how it's done - absolutely :D . Just look what's dicussed in |
Thank you, i was aware of the people who do it, and slightly about the process too, thanks for clarifying. I was curious if anything special was needed because this is a different kind of fix. Got it cleared now, thanks |
--------- Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> (cherry picked from commit f2ea8a3)
The test for security/permissions had not been run after modifying default permissions in apache#37501 (to be investigated why). This PR makes main green again.
The test for security/permissions had not been run after modifying default permissions in #37501 (to be investigated why). This PR makes main green again.
Yet another test was failing after changing audit log permissions in apache#37501
Yet another test was failing after changing audit log permissions in #37501
The test for security/permissions had not been run after modifying default permissions in #37501 (to be investigated why). This PR makes main green again.
Yet another test was failing after changing audit log permissions in #37501
--------- Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> (cherry picked from commit f2ea8a3)
The test for security/permissions had not been run after modifying default permissions in #37501 (to be investigated why). This PR makes main green again.
Yet another test was failing after changing audit log permissions in #37501
7 participants
The viewer role and any other users apart from admin don't need to have audit_log permissions. Revoking it.
Alternatively, I moved the revoked permissions to ADMIN_PERMISSIONS.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.