はじめに

Airflowのロールについて、カスタマイズするためドキュメントを参照したところ、情報が全量掲載されている感じではなかったため、備忘録も兼ねてまとめることにします。

前提条件

• Airflow 2.1.0

ドキュメント

• Access Control — Airflow Documentation

デフォルトロール

ロール(Role)は自由に作成できます。
Security > List Rolesからロール一覧画面に進み、+ボタンで新規作成します。

ロールにはパーミッション(Permission)が設定されています。
デフォルトで設定されているロールは、パーミッションの強い順にAdmin>Op>User >Viewer>Publicとなります。
それぞれに設定されているパーミッションは以下の通りです。

Admin

Category	Permissions
DAGs	can read on DAGs can edit on DAGs can delete on DAGs
DAG Runs	can read on DAG Runs can create on DAG Runs can edit on DAG Runs can delete on DAG Runs
Task Instances	can read on Task Instances can edit on Task Instances can create on Task Instances can delete on Task Instances
Audit Logs	can read on Audit Logs
ImportError	can read on ImportError
Jobs	can read on Jobs
DAG Dependencies	can read on DAG Dependencies
DAG Code	can read on DAG Code
Plugins	can read on Plugins
SLA Misses	can read on SLA Misses
Task Logs	can read on Task Logs
XComs	can read on XComs can create on XComs can delete on XComs
Website	can read on Website
Configurations	can read on Configurations
Connections	can create on Connections can read on Connections can edit on Connections can delete on Connections
Pools	can create on Pools can read on Pools can edit on Pools can delete on Pools
Providers	can read on Providers
Variables	can create on Variables can read on Variables can edit on Variables can delete on Variables
Task Reschedules	can read on Task Reschedules
Roles	can create on Roles can edit on Roles can delete on Roles can read on Roles
Users	can read on Users can create on Users can edit on Users can delete on Users
Passwords	can read on Passwords can edit on Passwords
My Password	can read on My Password can edit on My Password
My Profile	can read on My Profile can edit on My Profile
User Stats Chart	can read on User Stats Chart
View Menus	can read on View Menus
Permissions	can read on Permissions
Permission Views	can read on Permission Views
MenuApi	can get on MenuApi
Browse	menu access on Browse
Menu Access	menu access on DAG Runs menu access on Documentation menu access on Docs menu access on Jobs menu access on Audit Logs menu access on Plugins menu access on SLA Misses menu access on Task Instances menu access on Admin menu access on Connections menu access on Pools menu access on Variables menu access on XComs menu access on Task Reschedules menu access on List Users menu access on Security menu access on List Roles menu access on User's Statistics menu access on Base Permissions menu access on Views/Menus menu access on Permission on Views/Menus menu access on Configurations menu access on DAG Dependencies

Op

Category	Permissions
DAGs	can read on DAGs can edit on DAGs can delete on DAGs
DAG Runs	can read on DAG Runs can edit on DAG Runs can delete on DAG Runs can create on DAG Runs
Task Instances	can read on Task Instances can edit on Task Instances can create on Task Instances can delete on Task Instances
Audit Logs	can read on Audit Logs
ImportError	can read on ImportError
Pools	can delete on Pools can read on Pools can edit on Pools can create on Pools
Providers	can read on Providers can delete on Variables can read on Variables can edit on Variables can create on Variables
Connections	can delete on Connections can read on Connections can edit on Connections can create on Connections
XComs	can read on XComs can delete on XComs
DAG Code	can read on DAG Code
Configurations	can read on Configurations
Plugins	can read on Plugins
DAG Dependencies	can read on DAG Dependencies
Jobs	can read on Jobs
My Password	can read on My Password can edit on My Password
My Profile	can read on My Profile can edit on My Profile
SLA Misses	can read on SLA Misses
Task Logs	can read on Task Logs
Website	can read on Website
Menu Access	menu access on Browse menu access on DAG Runs menu access on Documentation menu access on Docs menu access on Jobs menu access on Audit Logs menu access on Plugins menu access on SLA Misses menu access on Task Instances menu access on Admin menu access on Connections menu access on Pools menu access on Variables menu access on XComs

User

Category	Permissions
DAGs	can read on DAGs can edit on DAGs can delete on DAGs
DAG Runs	can edit on DAG Runs can read on DAG Runs can delete on DAG Runs can create on DAG Runs
Task Instances	can read on Task Instances can edit on Task Instances can create on Task Instances can delete on Task Instances
Audit Logs	can read on Audit Logs
ImportError	can read on ImportError
XComs	can read on XComs
DAG Code	can read on DAG Code
Plugins	can read on Plugins
DAG Dependencies	can read on DAG Dependencies
Jobs	can read on Jobs
My Password	can read on My Password can edit on My Password
My Profile	can read on My Profile can edit on My Profile
SLA Misses	can read on SLA Misses
Task Logs	can read on Task Logs
Website	can read on Website
Menu Access	menu access on Browse menu access on DAG Runs menu access on Documentation menu access on Docs menu access on Jobs menu access on Audit Logs menu access on Plugins menu access on SLA Misses menu access on Task Instances

Viewer

Category	Permissions
DAGs	can read on DAGs
DAG Runs	can read on DAG Runs
Task Instances	can read on Task Instances
Audit Logs	can read on Audit Logs
ImportError	can read on ImportError
XComs	can read on XComs
DAG Code	can read on DAG Code
Plugins	can read on Plugins
DAG Dependencies	can read on DAG Dependencies
Jobs	can read on Jobs
My Password	can read on My Password can edit on My Password
My Profile	can read on My Profile can edit on My Profile
SLA Misses	can read on SLA Misses
Task Logs	can read on Task Logs
Website	can read on Website
Menu Access	menu access on Browse menu access on DAG Runs menu access on Documentation menu access on Docs menu access on Jobs menu access on Audit Logs menu access on Plugins menu access on SLA Misses menu access on Task Instances

Public

• N/A

パーミッション

新規にロールを作成する際に紐づけられるパーミッションは以下の通りです。

Category	Permissions
DAGs	can read on DAGs can edit on DAGs can delete on DAGs
DAG Runs	can read on DAG Runs can edit on DAG Runs can delete on DAG Runs can create on DAG Runs
Task Instances	can read on Task Instances can edit on Task Instances can create on Task Instances can delete on Task Instances
Audit Logs	can read on Audit Logs
ImportError	can read on ImportError
Pools	can delete on Pools can read on Pools can edit on Pools can create on Pools
Providers	can read on Providers
Variables	can delete on Variables can read on Variables can edit on Variables can create on Variables
Connections	can delete on Connections can read on Connections can edit on Connections can create on Connections
XComs	can read on XComs can create on XComs
DAG Code	can read on DAG Code
Configurations	can read on Configurations
Plugins	can read on Plugins
Permissions	can read on Permissions
Roles	can read on Roles can delete on Roles can edit on Roles can create on Roles
Users	can read on Users can create on Users can edit on Users can delete on Users
DAG Dependencies	can read on DAG Dependencies
Jobs	can read on Jobs
My Password	can read on My Password can edit on My Password
My Profile	can read on My Profile can edit on My Profile
Passwords	can read on Passwords can edit on Passwords
SLA Misses	can read on SLA Misses
Task Logs	can read on Task Logs
Website	can read on Website
Permission Views	can read on Permission Views
MenuApi	can get on MenuApi
Menu Access	menu access on Browse menu access on DAG Runs menu access on Documentation menu access on Docs menu access on Jobs menu access on Audit Logs menu access on Plugins menu access on SLA Misses menu access on Task Instances menu access on Admin menu access on Connections menu access on Pools menu access on Variables menu access on XComs can delete on XComs can read on Task Reschedules menu access on Task Reschedules menu access on List Users menu access on Security menu access on List Roles can read on User Stats Chart menu access on User's Statistics menu access on Base Permissions can read on View Menus menu access on Views/Menus menu access on Permission on Views/Menus menu access on Configurations menu access on DAG Dependencies