nicolasge opened a new issue, #42846: URL: https://github.com/apache/airflow/issues/42846
### Apache Airflow version 2.10.2 ### If "Other Airflow 2 version" selected, which one? _No response_ ### What happened? Let's say we have a DAG called DAG_A with several tasks and one of the task will trigger a dataset update. - In the same DAG, we have added an additional access_control to achieve DAG level access control and defined only users belong to Role_A can create DAG run on this DAG. - the downstream DAGs also have DAG level access control defined, let's call it Role_B and Role_C Right now, one user with a role which "can create on Datasets" will have the permission to trigger an event for this dataset, even this user doesn't have any role with dag run permissions to the DAG_A or DAG_A's downstream DAGs ### What you think should happen instead? To support DAG level access control, in order to trigger a dataset update event, besides the "can create on Datasets" permission, the user should also: - As the upstream or datasets generator, user should have permission to create dag_run on the DAGs which actually generate the dataset event if no human intervention. Because upstream DAG owners can always re-run their DAG to create a new event - As the downstream of the dataset, user will need to have permission to create dag_run on ALL the downtreams DAGs. So in this case, in order to call the API to create a dataset event, beside a role with permission to "can create on Datasets", this user need to be in Role_A( if he/she is the upstream owner), or both Role_B and Role_C (If he/she is the downstream owner ) ### How to reproduce create 3 users with 3 roles: - User C with role_C: "can create on Datasets" - User A with role_A: can create dag runs on "DAG_A" - User B with role_B: can create dag runs on "DAG_B" Create 2 DAGs with dag level access control defined in DAG: - DAG_A: only Role_A can create dag runs, and define a dataset outlet - DAG_B: only Role_B can create dag runs, and schedule based on dataset defined in DAG_A Then use user C to call the Airflow API ### Operating System Debian 12 ### Versions of Apache Airflow Providers _No response_ ### Deployment Official Apache Airflow Helm Chart ### Deployment details _No response_ ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
