Airflow: Role is automatically populated with permissions ?

Created on 12 Jun 2020  路  5Comments  路  Source: apache/airflow

Apache Airflow version: 1.10.10

Environment:

  • Cloud provider or hardware configuration: AWS
  • OS: Debian

What happened: Created a new role, added "can_index" and "menu_access on DAGs". After webserver restart, new roles appeared:
[can delete on Airflow, can tree on Airflow, can index on Airflow, can task stats on Airflow, can gantt on Airflow, can task instances on Airflow, can landing times on Airflow, can log on Airflow, can dag stats on Airflow, can paused on Airflow, can run on Airflow, can trigger on Airflow, can xcom on Airflow, can rendered on Airflow, can dag details on Airflow, can refresh on Airflow, can tries on Airflow, can code on Airflow, can get logs with metadata on Airflow, can dagrun clear on Airflow, can duration on Airflow, can graph on Airflow, can blocked on Airflow, can pickle info on Airflow, can clear on Airflow, can task on Airflow, can success on Airflow, can list on DagModelView, can show on DagModelView, can list on DagRunModelView, can add on DagRunModelView, muldelete on DagRunModelView, set failed on DagRunModelView, set running on DagRunModelView, set success on DagRunModelView, menu access on DAG Runs, menu access on Browse, can list on JobModelView, menu access on Jobs, can list on LogModelView, menu access on Logs, can list on SlaMissModelView, menu access on SLA Misses, can list on TaskInstanceModelView, clear on TaskInstanceModelView, set failed on TaskInstanceModelView, set running on TaskInstanceModelView, set success on TaskInstanceModelView, menu access on Task Instances, menu access on Documentation, menu access on Docs, can version on VersionView, menu access on Version, menu access on About]

What you expected to happen: Role is persistent unless changed by a user

How to reproduce it: Add new role with "can_index" and "menu access on DAG Runs". Restart webserver. The new role now has extra permissions.

Anything else we need to know: 100 % Reproducable.
I've found people with similar issue on stack overflow: https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset
And on Slack a similar issue: 

We are currently running Airflow 1.10.9 and facing a weird issue with role permissions.
Make a copy of the Viewer role and rename it to something else (can be reproduced without renaming as well)
Refresh the Roles page a couple of times or click on Edit for the copied role
The role now has permissions which it did not have before. Even though I never added those permissions
For example, the Viewer role does not have the permission set failed on DagRunModelView while a copy of the Viewer role has that permission even though I never added it to the copied role.
bug
Source
picture KayleMaster
👍1

All 5 comments

Happens to me on 1.10.11 with can delete on Airflow and muldelete on DagRunModelView. Also when I create a new empty role it is (within seconds) populated with a whole set of "default(?)" permissions. I guess that when I remove one of them, it is recreated after some cycle. It doesn't happen with the public role which remains empty.

dakov picture dakov on 29 Jul 2020
👍1

This happened to me on these three versions on which i tested RBAC: 1.10.5 & 1.10.8 & 1.10.11.
On 1.10.8 it somehow mananaged to not populate it a few times i logged in/out and then all of a sudden it did it again.

Any clues could this be an external thing, such as javascript or something that populates the role window?

Other people have had this issue on version 1.10.6:
https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset

This is a serious issue, RBAC is not RBAC with this bug.

domagojulamec picture domagojulamec on 7 Aug 2020

I believe it's happening here https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L373 . I didn't really have time to study the method properly (it's a bit too complex), to provide a fix. But esentially, this method is called periodically and if a role is in the EXISTING_ROLES list, it gets "synced" with permessions defined here - https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L160 .

If a role is not in the list, its permission gets generated by the method and synced. I believe its during this process when permissions are added to the role automatically.

My hot fix is that I created a custom role, I defined it the same way as default roles are (as shown in the 2nd link) and I added the role the EXISTING_ROLES list. This way I cannot modify its permission in UI, but at least the role has exactly the permission I need.

dakov picture dakov on 7 Aug 2020
1

@dakov, your workaround worked for me.
I created a new Role thru GUI, assigned it to a user.
It populated it with all sorts of unwanted permissions.
Went to edit security.py and added the name of the new Role to the EXISTING_ROLES array.
Returned to GUI to fix the permissions of the role.
Now they stick like glue.

Currently in the process of testing all sorts of cases to see if it will repopulate with unwanted permissions.

domagojulamec picture domagojulamec on 7 Aug 2020

I believe it's happening here https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L373 . I didn't really have time to study the method properly (it's a bit too complex), to provide a fix. But esentially, this method is called periodically and if a role is in the EXISTING_ROLES list, it gets "synced" with permessions defined here - https://github.com/apache/airflow/blob/1.10.11/airflow/www_rbac/security.py#L160 .

If a role is not in the list, its permission gets generated by the method and synced. I believe its during this process when permissions are added to the role automatically.

My hot fix is that I created a custom role, I defined it the same way as default roles are (as shown in the 2nd link) and I added the role the EXISTING_ROLES list. This way I cannot modify its permission in UI, but at least the role has exactly the permission I need.

@dakov I've been experiencing similar issues creating roles and getting them to work using the Airflow UI (version 1.10.11). I want to test your method. I tried the following:

  1. modifying the script ./venv/lib/python3.7/site-packages/airflow/www_rbac/security.py which is what I believe you were suggesting.
  2. Running airflow sync_perm in the webserver

Does not seem to be working for me. Please let me know if I'm missing something here.

ervazquez picture ervazquez on 17 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

d-lee picture d-lee  路  4Comments
Labbs picture Labbs  路  4Comments
turbaszek picture turbaszek  路  3Comments
Milchdealer picture Milchdealer  路  4Comments
ryanahamilton picture ryanahamilton  路  3Comments