o-nikolas commented on code in PR #35804: URL: https://github.com/apache/airflow/pull/35804#discussion_r1403683906
########## airflow/providers/amazon/aws/auth_manager/avp/facade.py: ########## @@ -0,0 +1,125 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from functools import cached_property +from typing import TYPE_CHECKING, Callable + +from airflow.configuration import conf +from airflow.exceptions import AirflowException +from airflow.providers.amazon.aws.auth_manager.avp.entities import AvpEntities, get_action_id, get_entity_type +from airflow.providers.amazon.aws.auth_manager.constants import ( + CONF_AVP_POLICY_STORE_ID_KEY, + CONF_CONN_ID_KEY, + CONF_SECTION_NAME, +) +from airflow.providers.amazon.aws.hooks.verified_permissions import VerifiedPermissionsHook +from airflow.utils.log.logging_mixin import LoggingMixin + +if TYPE_CHECKING: + from airflow.auth.managers.base_auth_manager import ResourceMethod + from airflow.providers.amazon.aws.auth_manager.user import AwsAuthManagerUser + + +class AwsAuthManagerAmazonVerifiedPermissionsFacade(LoggingMixin): + """ + Facade for Amazon Verified Permissions. + + Used as an intermediate layer between AWS auth manager and Amazon Verified Permissions. + """ + + @cached_property + def avp_client(self): + """Build Amazon Verified Permissions client.""" + aws_conn_id = conf.get(CONF_SECTION_NAME, CONF_CONN_ID_KEY) + return VerifiedPermissionsHook(aws_conn_id=aws_conn_id).conn + + @cached_property + def avp_policy_store_id(self): + """Get the Amazon Verified Permission policy store ID from config.""" + return conf.get_mandatory_value(CONF_SECTION_NAME, CONF_AVP_POLICY_STORE_ID_KEY) + + def is_authorized( + self, + *, + method: ResourceMethod, + entity_type: AvpEntities, + user: AwsAuthManagerUser, + entity_id: str | None = None, + entity_fetcher: Callable | None = None, + ) -> bool: + """ + Make an authorization decision against Amazon Verified Permissions. + + Check whether the user has permissions to access given resource. + + :param method: the method to perform + :param entity_type: the entity type the user accesses + :param user: the user + :param entity_id: the entity ID the user accesses. If not provided, all entities of the type will be + considered. + :param entity_fetcher: function that returns list of entities to be passed to Amazon Verified + Permissions. Only needed if some resource properties are used in the policies (e.g. DAG folder). + """ + entity_list = self._get_user_role_entities(user) + if entity_fetcher and entity_id: + # If no entity ID is provided, there is no need to fetch entities. + # We just need to know whether the user has permissions to access all resources from this type + entity_list += entity_fetcher() + + self.log.debug( + "Making authorization request for method=%s, entity_type=%s, entity_id=%s", Review Comment: Is it worth adding the user to this debug message? ########## airflow/providers/amazon/aws/auth_manager/avp/facade.py: ########## @@ -0,0 +1,125 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from functools import cached_property +from typing import TYPE_CHECKING, Callable + +from airflow.configuration import conf +from airflow.exceptions import AirflowException +from airflow.providers.amazon.aws.auth_manager.avp.entities import AvpEntities, get_action_id, get_entity_type +from airflow.providers.amazon.aws.auth_manager.constants import ( + CONF_AVP_POLICY_STORE_ID_KEY, + CONF_CONN_ID_KEY, + CONF_SECTION_NAME, +) +from airflow.providers.amazon.aws.hooks.verified_permissions import VerifiedPermissionsHook +from airflow.utils.log.logging_mixin import LoggingMixin + +if TYPE_CHECKING: + from airflow.auth.managers.base_auth_manager import ResourceMethod + from airflow.providers.amazon.aws.auth_manager.user import AwsAuthManagerUser + + +class AwsAuthManagerAmazonVerifiedPermissionsFacade(LoggingMixin): Review Comment: This is kind of like a Hook. I wonder if it makes sense for most (if not all?) of this code to be in the Hook class you also have in this PR? Perhaps future AVP operators may use some of that code in the future and there'd be less code duplication. ########## airflow/providers/amazon/aws/auth_manager/avp/entities.py: ########## @@ -0,0 +1,57 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from enum import Enum +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from airflow.auth.managers.base_auth_manager import ResourceMethod + +AVP_PREFIX_ENTITIES = "Airflow::" + + +class AvpEntities(Enum): + """Enum of Amazon Verified Permissions entities.""" + + ACTION = "Action" + ROLE = "Role" + VARIABLE = "Variable" + USER = "User" + + +def get_entity_type(resource_type: AvpEntities) -> str: Review Comment: You could update `__new__` on the Enum to add the `AVP_PREFIX_ENTITIES` prefix to the values. Then you could just use `.value` on the Enums, might be a bit cleaner ########## airflow/providers/amazon/aws/auth_manager/constants.py: ########## @@ -18,6 +18,8 @@ # Configuration keys from __future__ import annotations +CONF_ENABLE_KEY = "enable" CONF_SECTION_NAME = "aws_auth_manager" +CONF_CONN_ID_KEY = "conn_id" Review Comment: Nit: Maybe give this a less generic name? I know it's under a section that makes it unique, but I think it's helpful to give it a more specific name. `aws_auth_mngr_conn_id`, `aws_auth_conn_id`, etc? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
