Re: [PR] Implement `batch_is_authorized_*` APIs in AWS auth manager [airflow]

Wed, 21 Feb 2024 13:40:17 -0800 


vincbeck commented on code in PR #37430:
URL: https://github.com/apache/airflow/pull/37430#discussion_r1498347166


##########
airflow/providers/amazon/aws/auth_manager/avp/facade.py:
##########
@@ -116,6 +125,63 @@ def is_authorized(
 
         return resp["decision"] == "ALLOW"
 
+    def batch_is_authorized(
+        self,
+        *,
+        requests: Sequence[IsAuthorizedRequest],
+        user: AwsAuthManagerUser | None,
+    ) -> bool:
+        """
+        Make a batch authorization decision against Amazon Verified 
Permissions.
+
+        Check whether the user has permissions to access given resources.
+
+        :param requests: the list of requests containing the method, the 
entity_type and the entity ID
+        :param user: the user
+        """
+        if user is None:
+            return False
+
+        entity_list = self._get_user_role_entities(user)
+
+        self.log.debug("Making batch authorization request for user=%s, 
requests=%s", user.get_id(), requests)
+
+        avp_requests = [
+            prune_dict(
+                {
+                    "principal": {"entityType": 
get_entity_type(AvpEntities.USER), "entityId": user.get_id()},
+                    "action": {
+                        "actionType": get_entity_type(AvpEntities.ACTION),
+                        "actionId": get_action_id(request["entity_type"], 
request["method"]),
+                    },
+                    "resource": {
+                        "entityType": get_entity_type(request["entity_type"]),
+                        "entityId": request.get("entity_id", "*"),
+                    },
+                    "context": self._build_context(request.get("context")),
+                }
+            )
+            for request in requests
+        ]
+
+        resp = self.avp_client.batch_is_authorized(
+            policyStoreId=self.avp_policy_store_id,
+            requests=avp_requests,
+            entities={"entityList": entity_list},
+        )
+
+        self.log.debug("Authorization response: %s", resp)
+
+        has_errors = any(len(result.get("errors", [])) > 0 for result in 
resp["results"])
+
+        if has_errors:
+            self.log.error(
+                "Error occurred while making a batch authorization decision. 
Result: %s", resp["results"]
+            )
+            raise AirflowException("Error occurred while making a batch 
authorization decision.")

Review Comment:
   The only reason is `resp["results"]` can be a really long list, thus having 
it in the error message looks wrong to me but it might not matter actually



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to