Add description about custom FAB permission consistency (apache#39459)

While RBAC model is powerful, it's also responsibility of those who define custom roles to make sure the role definition is consistent.
VladaZakharova · May 7, 2024 · cbebb48 · cbebb48
1 parent b89e72b
commit cbebb48
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/docs/apache-airflow-providers-fab/auth-manager/access-control.rst b/docs/apache-airflow-providers-fab/auth-manager/access-control.rst
@@ -107,6 +107,21 @@ users add-role`` CLI command.
 Permissions
 '''''''''''
 
+
+.. warning::
+
+  Airflow allows to define custom Roles with fine-grained RBAC permissions for the users. However,
+  there is no mechanism to make sure that the set of permissions assigned is fully consistent and not all
+  combinations of permissions are fully consistent. There are a number of cases where permissions for
+  particular resources are overlapping. Good examples are menu access permissions - lack of menu access
+  does not automatically disable access to functionality they are pointing at. Another examples is access to
+  Role views - which allows to access User information even if the user does not have "user view" access.
+  It is simply inconsistent to add access to Roles where you have no access to users.
+
+  When you decide to use custom set of resource-based permissions, the Deployment Manager should carefully
+  review if the final set of permissions granted to the roles is what they expect.
+
+
 Resource-Based permissions
 ^^^^^^^^^^^^^^^^^^^^^^^^^^