Background
The public Import Errors API resolves each ParseImportError to a set
of DagModel rows via (relative_fileloc, bundle_name) and applies
per-Dag authorization on the resulting set. There is one case the
current code cannot authorize cleanly: a parse error for a file that
has no DagModel rows yet — for example, a brand-new file that
failed to parse before any Dag was defined, or a file whose Dags were
all removed.
The single endpoint and the list endpoint currently return the raw
stacktrace in this case. That is the same behavior the endpoints had
before the per-file authorization work landed, and it is what the
follow-up PR restores while a proper design is in place.
Why a follow-up
Two things make a proper fix non-trivial:
-
There is no per-file permission today. Authorization on import
errors is derived from per-Dag read permission, but a file with no
Dag has nothing to derive from. The right answer is a dedicated
"view all import errors" permission rather than overloading the
existing per-Dag check.
-
Multi-team isolation needs to be respected. Once such a
permission exists it must be scoped per team (so a team admin sees
import errors for files owned by their team, not other teams). The
per-file ownership signal for unregistered files needs to come from
the bundle / team mapping rather than from DagModel.
Proposed direction
- Introduce a new
AccessView (working name: IMPORT_ERRORS_ALL, or a
resource-action pair on IMPORT_ERRORS) that grants visibility to
import errors whose file has no registered Dag.
- Default-grant the new permission to the admin role only.
- Wire the per-file authorization in
airflow-core/src/airflow/api_fastapi/core_api/routes/public/import_error.py
so that, when file_dag_ids is empty, the response is conditioned on
the caller holding the new permission — returning the raw stacktrace
when they do, redacting (or 403'ing) when they don't.
- For multi-team deployments, scope the new permission per team using
the bundle → team mapping, so a team admin only sees unregistered-file
errors that belong to their team.
- Update the public-API docs and any auth-manager implementations
(FAB, Keycloak, simple) to declare and surface the new permission.
Acceptance criteria
- New permission exists in
AccessView and is declared by every
bundled auth manager.
- Default role mappings grant it to admins only.
- Single and list endpoints return the raw stacktrace for files with
no registered Dag only when the caller has the permission;
otherwise the file is redacted or hidden, with the team scoping
applied where applicable.
- Tests cover: admin sees the raw error, non-admin does not, team-A
admin does not see team-B unregistered files.
Related
Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting
Background
The public Import Errors API resolves each
ParseImportErrorto a setof
DagModelrows via(relative_fileloc, bundle_name)and appliesper-Dag authorization on the resulting set. There is one case the
current code cannot authorize cleanly: a parse error for a file that
has no
DagModelrows yet — for example, a brand-new file thatfailed to parse before any Dag was defined, or a file whose Dags were
all removed.
The single endpoint and the list endpoint currently return the raw
stacktrace in this case. That is the same behavior the endpoints had
before the per-file authorization work landed, and it is what the
follow-up PR restores while a proper design is in place.
Why a follow-up
Two things make a proper fix non-trivial:
There is no per-file permission today. Authorization on import
errors is derived from per-Dag read permission, but a file with no
Dag has nothing to derive from. The right answer is a dedicated
"view all import errors" permission rather than overloading the
existing per-Dag check.
Multi-team isolation needs to be respected. Once such a
permission exists it must be scoped per team (so a team admin sees
import errors for files owned by their team, not other teams). The
per-file ownership signal for unregistered files needs to come from
the bundle / team mapping rather than from
DagModel.Proposed direction
AccessView(working name:IMPORT_ERRORS_ALL, or aresource-action pair on
IMPORT_ERRORS) that grants visibility toimport errors whose file has no registered Dag.
airflow-core/src/airflow/api_fastapi/core_api/routes/public/import_error.pyso that, when
file_dag_idsis empty, the response is conditioned onthe caller holding the new permission — returning the raw stacktrace
when they do, redacting (or 403'ing) when they don't.
the bundle → team mapping, so a team admin only sees unregistered-file
errors that belong to their team.
(FAB, Keycloak, simple) to declare and surface the new permission.
Acceptance criteria
AccessViewand is declared by everybundled auth manager.
no registered Dag only when the caller has the permission;
otherwise the file is redacted or hidden, with the team scoping
applied where applicable.
admin does not see team-B unregistered files.
Related
the API behaves the same as before per-file authorization was
introduced for that specific case: Return raw import-error stacktrace when file has no registered Dag #67465
Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting