[GitHub] [airflow] jhtimmins commented on a change in pull request #15311: WIP: Sync DAG specific permissions when parsing

Mon, 12 Apr 2021 17:59:45 -0700 


jhtimmins commented on a change in pull request #15311:
URL: https://github.com/apache/airflow/pull/15311#discussion_r612046000



##########
File path: airflow/www/security.py
##########
@@ -516,24 +515,25 @@ def _get_all_roles_with_permissions(self) -> Dict[str, 
Role]:
 
     def create_dag_specific_permissions(self) -> None:
         """
-        Creates 'can_read' and 'can_edit' permissions for all active and 
paused DAGs.
+        Creates 'can_read' and 'can_edit' permissions for all active and 
paused DAGs,
+        along with any `access_control` permissions provided in the DAG.
 
         :return: None.
         """
         perms = self.get_all_permissions()
-        rows = (
-            self.get_session.query(models.DagModel.dag_id)
-            .filter(or_(models.DagModel.is_active, models.DagModel.is_paused))

Review comment:
       I believe that `is_active` and `is_paused` are queried for explicitly bc 
a DAG could be in neither state, in which case we don't want to fetch it to 
create new permissions.
   
   IIRC it has to do with some historical reason. Something about DAGs getting 
deleted in the DB; the record sticks around but they've been soft deleted. 
We'll need to account for that when fetching results.

##########
File path: airflow/models/serialized_dag.py
##########
@@ -37,10 +37,25 @@
 from airflow.utils import timezone
 from airflow.utils.session import provide_session
 from airflow.utils.sqlalchemy import UtcDateTime
+from airflow.www.security import AirflowSecurityManager
 
 log = logging.getLogger(__name__)
 
 
+class SimpleSecurityManager(AirflowSecurityManager):
+    """Security Manager that doesn't need the whole flask app"""
+
+    def __init__(self):  # pylint: disable=super-init-not-called
+        self.session = None
+
+    @property
+    def get_session(self):
+        return self.session
+
+
+security_manager = SimpleSecurityManager()

Review comment:
       Ok, after thinking more about this, I don't think we should be extending 
the security manager into the `/airflow/models` directory. I'd much rather 
create a `sync-permissions` API endpoint if one doesn't exist, and hitting that 
from the CLI via a separate HTTP request.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to