0

Using Airflow 2.0.2, I'm trying to use the airflow API to trigger DAG Runs. When I run a simple GET like

curl -X GET --user "fooUser:passw0rd" "${ENDPOINT_URL}/api/v1/pools"

I get expected results:

{
  "pools": [
    {
      "name": "default_pool",
      "occupied_slots": 0,
      "open_slots": 128,
      "queued_slots": 0,
      "running_slots": 0,
      "slots": 128
    }
  ],
  "total_entries": 1

So the user fooUser does have some basic access to the API. But, trying to run

curl -X POST -H "Content-Type: application/json" -d '{}' --user "fooUser:passw0rd" "${ENDPOINT_URL}/api/v1/dags/myDag/dagRuns"

I get

{
  "detail": null,
  "status": 403,
  "title": "Forbidden",
  "type": "https://airflow.apache.org/docs/2.0.2/stable-rest-api-ref.html#section/Errors/PermissionDenied"
}

If I grant user fooUser the Admin role and use the same curl command, I successfully get

{
  "conf": {},
  "dag_id": "myDag",
  "dag_run_id": "manual__2021-12-13T21:37:42.959274+00:00",
  "end_date": null,
  "execution_date": "2021-12-13T21:37:42.959274+00:00",
  "external_trigger": true,
  "start_date": "2021-12-13T21:37:42.964609+00:00",
  "state": "running"
}

I don't want this user to have Admin permissions though. I want just enough to allow them to trigger DAG Runs using the API. But looking at the list of permissions granted to Admin I can't tell which my fooUser needs in order to accomplish this.

Which specific permission(s) does a user need in order to be allowed to trigger DAG Runs using the Airflow API?

Mike S
  • 1,451
  • 1
  • 16
  • 34

1 Answers1

0

testing a little bit, I've come to these rules:

[can create on DAG Runs, can edit on DAGs]

These are just to TRIGGER a dag run. If you want to edit a dag run, you'll have too alter those permissions.

Airflow version 2.3.4

[UPDATE] Here are all permissions needed for each resource: https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions

GabrielBoehme
  • 302
  • 1
  • 11