Skip to content

Add IMPORT_ERRORS_ALL permission for import errors of files with no registered Dag#69790

Open
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:import-errors-all-permission-unregistered-files
Open

Add IMPORT_ERRORS_ALL permission for import errors of files with no registered Dag#69790
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:import-errors-all-permission-unregistered-files

Conversation

@potiuk

@potiuk potiuk commented Jul 12, 2026

Copy link
Copy Markdown
Member

Import errors are authorized per Dag defined in the file. Files with no registered Dag (parse failed before any Dag was defined, or all Dags removed) have no per-Dag key to authorize on. This adds a dedicated IMPORT_ERRORS_ALL view -- admin-granted by default, scoped per team via the file's bundle where the auth manager supports multi-team isolation -- and gates such files on it: callers without the permission are denied those import errors (403 on the single endpoint; excluded from the list endpoint) instead of receiving the raw stack trace.

Implements #67461.

  • New AccessView.IMPORT_ERRORS_ALL.
  • Auth managers gain an is_authorized_view_for_team method that defaults to is_authorized_view, so auth managers that do not implement it (including out-of-tree ones) keep working unchanged. The simple and Keycloak managers override it to enforce team scoping; the FAB manager grants the new permission to Admin by default.
  • Both Import Errors endpoints resolve the file's team from its bundle and authorize unregistered-file errors on the new view; the list endpoint excludes unauthorized rows from the results and total_entries so their existence does not surface.

Tests

  • test_import_error.py -- with the permission the raw stack trace is returned; without it the single endpoint returns 403 and the list endpoint omits the rows; team scoping is honored; no query-count regression.
  • test_base_auth_manager.py -- is_authorized_view_for_team falls back to is_authorized_view by default.
  • simple / FAB / Keycloak auth-manager suites.
Was generative AI tooling used to co-author this PR?
  • Yes -- Claude Opus 4.8 (1M context)

Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions

…egistered Dag

The Import Errors API authorizes each error per Dag defined in its file. Files
with no registered Dag have no per-Dag key to authorize on. Gate the raw stack
trace for those files on a dedicated, admin-by-default IMPORT_ERRORS_ALL view,
scoped per team via the file's bundle where the auth manager supports multi-team
isolation, and redact it for callers without the permission on both the list and
single endpoints.

Closes: apache#67461

Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
@potiuk

potiuk commented Jul 13, 2026

Copy link
Copy Markdown
Member Author

@vincbeck — you'd offered to pick up #67461, so heads-up that I went ahead and implemented it here. Would you mind reviewing when you get a chance? Particularly keen on your read of the is_authorized_view_for_team addition (kept backwards-compatible so existing auth managers are untouched) and the deny-by-default behaviour for files with no registered Dag. Happy to adjust.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant