[GitHub] [airflow] vincbeck commented on a diff in pull request #33213: Implement `is_authorized()` in auth manager

Tue, 15 Aug 2023 13:30:32 -0700 


vincbeck commented on code in PR #33213:
URL: https://github.com/apache/airflow/pull/33213#discussion_r1295078542


##########
airflow/auth/managers/fab/fab_auth_manager.py:
##########
@@ -17,13 +17,37 @@
 # under the License.
 from __future__ import annotations
 
+import itertools
+
 from flask import url_for
 from flask_login import current_user
 
 from airflow import AirflowException
 from airflow.auth.managers.base_auth_manager import BaseAuthManager
 from airflow.auth.managers.fab.models import User
 from airflow.auth.managers.fab.security_manager.override import 
FabAirflowSecurityManagerOverride
+from airflow.auth.managers.models.base_user import BaseUser
+from airflow.auth.managers.models.resource_action import ResourceAction
+from airflow.auth.managers.models.resource_details import ResourceDetails
+from airflow.security.permissions import (
+    ACTION_CAN_ACCESS_MENU,
+    ACTION_CAN_CREATE,
+    ACTION_CAN_DELETE,
+    ACTION_CAN_EDIT,
+    ACTION_CAN_READ,
+    RESOURCE_DAG,
+    RESOURCE_DAG_PREFIX,
+)
+
+_MAP_ACTION_NAME_TO_FAB_ACTION_NAME = {
+    ResourceAction.POST: [ACTION_CAN_CREATE],
+    # ACTION_CAN_READ and ACTION_CAN_ACCESS_MENU are merged into because they 
are very similar.
+    # We can assume that if a user has permissions to read variables, they 
also have permissions to access
+    # the menu "Variables".
+    ResourceAction.GET: [ACTION_CAN_READ, ACTION_CAN_ACCESS_MENU],

Review Comment:
   The only concern is, if user X has `ACCESS_MENU` to given resource but not 
`READ` permissions, it will be breaking experience for him. We have to give 
`READ` permissions to user who have `ACCESS_MENU`.
   
   But I agree, we might too much complexity here to handle this. As you say, 
we might want to remove `ACTION_CAN_ACCESS_MENU`, one way to do it it to 
basically convert `ACTION_CAN_ACCESS_MENU` to `ACTION_CAN_READ` when loading 
permissions for a given user



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to