[GitHub] [airflow] ephraimbuddy commented on pull request #14664: Add readonly REST API endpoint for roles and permissions

Thu, 11 Mar 2021 12:35:25 -0800 


ephraimbuddy commented on pull request #14664:
URL: https://github.com/apache/airflow/pull/14664#issuecomment-797031177


   > > These would certainly cause confusion for people checking roles and 
permissions just as it currently does on the UI.
   > 
   > In Web UI, we should also disable it if it doesn't work properly.
   > 
   > > Is there a way we can see Roles and permissions from an LDAP server 
through airflow?
   > 
   > Probably, when you pass * as the username to `_search_ldap` method, the 
list of all users will be stored in the search_resulsts variable, but I did not 
check it.
   > 
https://github.com/dpgaspar/Flask-AppBuilder/blob/dbe1eded6369c199b777836eb08d829ba37634d7/flask_appbuilder/security/manager.py#L845
   
   Hi @mik-laj , after going through the code, I see that we are good with this 
implementation.
   Whatever authentication method that is been used, roles for users are set 
with AUTH_ROLES_MAPPING config or AUTH_USER_REGISTRATION_ROLE if users are to 
be registered to the DB.
   
   These roles must be one of the roles in FAB DB, that's why it's calculated 
[here](https://github.com/dpgaspar/Flask-AppBuilder/blob/dbe1eded6369c199b777836eb08d829ba37634d7/flask_appbuilder/security/manager.py#L904)
 for LDAP.
   
   And you can see where roles in AUTH_ROLES_MAPPING  are being searched 
[here](https://github.com/dpgaspar/Flask-AppBuilder/blob/dbe1eded6369c199b777836eb08d829ba37634d7/flask_appbuilder/security/manager.py#L322)
   
   I believe we are good returning roles available in airflow because that's 
what auths use.
   
   The same thing applies to users endpoint, if user registration is set, users 
are created in FAB DB, if not, then no users in DB and there'll not be accident 
of returning users that was not added through LDAP or remote user.
   
   So I think this is different from secrets 🙁
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to