Implement is_authorized() in auth manager
#33213
Conversation
vincbeck
requested review from
jhtimmins,
ryanahamilton,
ashb,
bbovenzi,
pierrejeambrun and
potiuk
as code owners
boring-cyborg
bot
added
area:dev-tools
area:webserver
vincbeck
force-pushed
the
vincbeck/is_authorized
branch
from
5fcce4b
to
abd1f11
Compare
vincbeck
force-pushed
the
vincbeck/is_authorized
branch
from
d9b7eef
to
2685ea4
Compare
vincbeck
force-pushed
the
vincbeck/is_authorized
branch
from
2685ea4
to
b34afaa
Compare
|
@potiuk You might be interested into this one if you have time. It is pretty important/impactful since it is defining and updating the authorization model used to check whether a user has permissions to make a specific action on a given resource. |
Thank you! 🥳 |
vincbeck
added
the
use public runners
|
Needs resolve conflicts. @uranusjr ? |
| @@ -35,16 +44,100 @@ def get_access_denied_message(): | |||
| return conf.get("webserver", "access_denied_message") | |||
|
|
|||
|
|
|||
| def has_access(permissions: Sequence[tuple[str, str]] | None = None) -> Callable[[T], T]: | |||
There was a problem hiding this comment.
@vincbeck This is a breaking change for us, we have a plugin that uses this method. Can we please keep this method and work around it?
There was a problem hiding this comment.
Sadly this is really impossible to keep all the code in case someone uses that code in their own code (DAGs, plugins, ...). This goes back to definition of public interface in Airflow and the security manager is not part of it. However, there is an option in Airflow where you can bring your own security manager using the constant SECURITY_MANAGER_CLASS, even though this is not part of the public interface we did no want to break user experience in case they are using a custom security manager so we handled it. But in your case, I feel like you need to update your code.
There was a problem hiding this comment.
has_acess has been in use by plugins since Airflow 1.10 - way before we had any formal definition of what read public or not.
In short: this is a breaking change and needs fixing
There was a problem hiding this comment.
+1, in our plugins we also use airflow.www.auth.has_access - if there is any alternative we could migrate before but maybe there are a lot of other plugins and users "in the wild" relying on this. So if the function at least is kept as a proxy to the new implementation it would be good. I also do not know any other alternative for the current main version how to check authentication for plugins if not using this method.
ephraimbuddy
added
the
changelog:skip
Resolves #32204.
Implement the method
is_authorized()in auth manager. The purpose of this method is to be the user authorization decision maker. The purpose of this method is to check whether the current user (or any user) is authorized to make an action on a given resource. In this PR I use it only in the decoratorauth.has_access()but I aim to use it anywhere we need to check user permissions. For more informations on the signature ofis_authorized, please look at AIP-56 section "Authorization flow".^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.