From 1059ee3962c2e25881e9a9c8d4851e7f413273de Mon Sep 17 00:00:00 2001 From: Amogh Date: Sat, 17 Feb 2024 10:26:13 +0530 Subject: [PATCH 1/6] Revoking audit_log permission from viewer role --- .../fab/auth_manager/security_manager/override.py | 2 -- docs/apache-airflow/security/security_model.rst | 8 ++++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py b/airflow/providers/fab/auth_manager/security_manager/override.py index 901193386b49d..1ec5e87641d5c 100644 --- a/airflow/providers/fab/auth_manager/security_manager/override.py +++ b/airflow/providers/fab/auth_manager/security_manager/override.py @@ -203,7 +203,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_viewer_perms] VIEWER_PERMISSIONS = [ - (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_DEPENDENCIES), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_CODE), @@ -233,7 +232,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_DOCS_MENU), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_JOB), - (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_PLUGIN), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_SLA_MISS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_INSTANCE), diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index dfc67dbac5626..cabbf5c2b547f 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -134,6 +134,14 @@ Regular users They can view and interact with the UI and API. They are able to view and edit DAGs, task instances, and DAG runs, and view task logs. +Viewer users +............ + +They can view information related to DAGs, in a read only fashion, task logs, and other relevant details. +This role is suitable for users who require read-only access without the ability to trigger or modify DAGs. + +Viewers also do not have permission to access audit logs. + For more information on the capabilities of authenticated UI users, see :doc:`apache-airflow-providers-fab:auth-manager/access-control`. Capabilities of DAG Authors From 437285e9ab97e416d4a991ad5f42090b3a2ccbe0 Mon Sep 17 00:00:00 2001 From: Amogh Date: Sat, 17 Feb 2024 10:40:14 +0530 Subject: [PATCH 2/6] moving revoked permissions to USER_PERMISSIONS for other users --- airflow/providers/fab/auth_manager/security_manager/override.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py b/airflow/providers/fab/auth_manager/security_manager/override.py index 1ec5e87641d5c..d09a82c5f1676 100644 --- a/airflow/providers/fab/auth_manager/security_manager/override.py +++ b/airflow/providers/fab/auth_manager/security_manager/override.py @@ -240,6 +240,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_user_perms] USER_PERMISSIONS = [ + (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), + (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_TASK_INSTANCE), From 82e416d6f05ee6cca1b370294b1ea209660e4534 Mon Sep 17 00:00:00 2001 From: Amogh Date: Sat, 17 Feb 2024 12:17:32 +0530 Subject: [PATCH 3/6] audit logs only on admins --- .../providers/fab/auth_manager/security_manager/override.py | 4 ++-- docs/apache-airflow/security/security_model.rst | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py b/airflow/providers/fab/auth_manager/security_manager/override.py index d09a82c5f1676..0757f57234f19 100644 --- a/airflow/providers/fab/auth_manager/security_manager/override.py +++ b/airflow/providers/fab/auth_manager/security_manager/override.py @@ -240,8 +240,6 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_user_perms] USER_PERMISSIONS = [ - (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), - (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_TASK_INSTANCE), @@ -281,6 +279,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2): # [START security_admin_perms] ADMIN_PERMISSIONS = [ + (permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG), + (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_AUDIT_LOG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_RESCHEDULE), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_RESCHEDULE), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TRIGGER), diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index cabbf5c2b547f..8a230ee180b1b 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -106,12 +106,17 @@ sensitive information accessible through connection configuration. They also have the ability to create a Webserver Denial of Service situation and should be trusted not to misuse this capability. +Only admin users have access to audit logs. Unless specified otherwise in any other section below, +other users do not have permissions on audit logs. + Operations users ................ The primary difference between an operator and admin is the ability to manage and grant permissions to other users - only admins are able to do this. Otherwise assume they have the same access as an admin. +Operations users also do not have permission to access audit logs. + Connection configuration users .............................. From fcf1cd5b1efb2f4ea3ba0dcafd74595a4d1bf464 Mon Sep 17 00:00:00 2001 From: Amogh Desai Date: Mon, 19 Feb 2024 09:21:28 +0530 Subject: [PATCH 4/6] review comments by Jed Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> --- docs/apache-airflow/security/security_model.rst | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index 8a230ee180b1b..b29a8bd91b441 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -113,9 +113,7 @@ Operations users ................ The primary difference between an operator and admin is the ability to manage and grant permissions -to other users - only admins are able to do this. Otherwise assume they have the same access as an admin. - -Operations users also do not have permission to access audit logs. +to other users, and access audit logs - only admins are able to do this. Otherwise assume they have the same access as an admin. Connection configuration users .............................. From c381759545df84774d14c5709b2f1e0c878ae3cc Mon Sep 17 00:00:00 2001 From: Amogh Desai Date: Mon, 19 Feb 2024 09:21:45 +0530 Subject: [PATCH 5/6] review comments from Jed Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> --- docs/apache-airflow/security/security_model.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/apache-airflow/security/security_model.rst b/docs/apache-airflow/security/security_model.rst index b29a8bd91b441..329e54670b9b6 100644 --- a/docs/apache-airflow/security/security_model.rst +++ b/docs/apache-airflow/security/security_model.rst @@ -106,8 +106,7 @@ sensitive information accessible through connection configuration. They also have the ability to create a Webserver Denial of Service situation and should be trusted not to misuse this capability. -Only admin users have access to audit logs. Unless specified otherwise in any other section below, -other users do not have permissions on audit logs. +Only admin users have access to audit logs. Operations users ................ From 1cb1958c4a956fd2cfee5297b4d99082f012affe Mon Sep 17 00:00:00 2001 From: Amogh Date: Mon, 19 Feb 2024 09:33:42 +0530 Subject: [PATCH 6/6] adding a newsfragment --- newsfragments/37501.significant.rst | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 newsfragments/37501.significant.rst diff --git a/newsfragments/37501.significant.rst b/newsfragments/37501.significant.rst new file mode 100644 index 0000000000000..0fe82850b3889 --- /dev/null +++ b/newsfragments/37501.significant.rst @@ -0,0 +1,9 @@ +The audit_logs permissions have been updated for heightened security. + +This was done under the policy that we do not want users like Viewer, Ops, +and other users apart from Admin to have access to audit_logs. The intention behind +this change is to restrict users with less permissions from viewing user details +like First Name, Email etc. from the audit_logs when they are not permitted to. + +The impact of this change is that the existing users with non admin rights won't be able +to view or access the audit_logs, both from the Browse tab or from the DAG run.