potiuk commented on code in PR #42004: URL: https://github.com/apache/airflow/pull/42004#discussion_r1745247194
########## airflow/auth/managers/simple/simple_auth_manager.py: ########## @@ -0,0 +1,166 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from enum import Enum +from typing import TYPE_CHECKING + +from flask import session, url_for + +from airflow.auth.managers.base_auth_manager import BaseAuthManager, ResourceMethod +from airflow.auth.managers.simple.views.auth import SimpleAuthManagerAuthenticationViews + +if TYPE_CHECKING: + from airflow.auth.managers.models.base_user import BaseUser + from airflow.auth.managers.models.resource_details import ( + AccessView, + ConfigurationDetails, + ConnectionDetails, + DagAccessEntity, + DagDetails, + DatasetDetails, + PoolDetails, + VariableDetails, + ) + from airflow.auth.managers.simple.user import SimpleAuthManagerUser + + +class SimpleAuthManagerRole(Enum): + """List of pre-defined roles in simple auth manager.""" + + # Admin role gives all permissions + ADMIN = "admin" + + # Viewer role gives all read-only permissions + VIEWER = "viewer" + + # User role gives viewer role permissions + access to DAGs + USER = "user" + + # OP role gives user role permissions + access to connections, config, pools, variables + OP = "op" + + +class SimpleAuthManager(BaseAuthManager): + """ + Simple auth manager. + + Default auth manager used in Airflow. This auth manager should not be used in production. + This auth manager is very basic and only intended for development and testing purposes. + + :param appbuilder: the flask app builder + """ + + def is_logged_in(self) -> bool: + return "user" in session + + def get_url_login(self, **kwargs) -> str: + return url_for("SimpleAuthManagerAuthenticationViews.login") + + def get_url_logout(self) -> str: + return url_for("SimpleAuthManagerAuthenticationViews.logout") + + def get_user(self) -> SimpleAuthManagerUser | None: + return session["user"] if self.is_logged_in() else None + + def is_authorized_configuration( + self, + *, + method: ResourceMethod, + details: ConfigurationDetails | None = None, + user: BaseUser | None = None, + ) -> bool: + return self._is_authorized(method=method, roles_to_allow=[SimpleAuthManagerRole.OP.value]) + + def is_authorized_connection( + self, + *, + method: ResourceMethod, + details: ConnectionDetails | None = None, + user: BaseUser | None = None, + ) -> bool: + return self._is_authorized(method=method, roles_to_allow=[SimpleAuthManagerRole.OP.value]) + + def is_authorized_dag( + self, + *, + method: ResourceMethod, + access_entity: DagAccessEntity | None = None, + details: DagDetails | None = None, + user: BaseUser | None = None, + ) -> bool: + return self._is_authorized( + method=method, + roles_to_allow=[SimpleAuthManagerRole.USER.value, SimpleAuthManagerRole.OP.value], + ) + + def is_authorized_dataset( + self, *, method: ResourceMethod, details: DatasetDetails | None = None, user: BaseUser | None = None + ) -> bool: + return self._is_authorized(method=method, roles_to_allow=[SimpleAuthManagerRole.OP.value]) + + def is_authorized_pool( + self, *, method: ResourceMethod, details: PoolDetails | None = None, user: BaseUser | None = None + ) -> bool: + return self._is_authorized(method=method, roles_to_allow=[SimpleAuthManagerRole.OP.value]) + + def is_authorized_variable( + self, *, method: ResourceMethod, details: VariableDetails | None = None, user: BaseUser | None = None + ) -> bool: + return self._is_authorized(method=method, roles_to_allow=[SimpleAuthManagerRole.OP.value]) + + def is_authorized_view(self, *, access_view: AccessView, user: BaseUser | None = None) -> bool: + return self._is_authorized(method="GET") + + def is_authorized_custom_view( + self, *, method: ResourceMethod | str, resource_name: str, user: BaseUser | None = None + ): + return self.is_logged_in() + + def register_views(self) -> None: + self.appbuilder.add_view_no_menu( + SimpleAuthManagerAuthenticationViews( + users=self.appbuilder.get_app.config.get("SIMPLE_AUTH_MANAGER_USERS", []) + ) + ) + + def _is_authorized( + self, + *, + method: ResourceMethod, + roles_to_allow: list[str] | None = None, + ): + """ + Return whether the user is authorized to access a given resource. + + :param method: the method to perform + :param roles_to_allow: list of roles giving access to the resource, if the user's role is one of these roles, they have access + """ + user = self.get_user() + if not user: + return False + role = user.get_role() + if role == SimpleAuthManagerRole.ADMIN.value: + return True + if method == "GET": + return True Review Comment: Ah.. Good point @jedcunningham -> I think it really depends on the granularity level of the basic model implemented here. I'd say we do not have to follow the exact "default" model we have in Airflow - we can simplify it (because if we don't then eventually we will have to implement all the resource management complexity that the FAB resource access model had) I think we should be very precise about the security model that "simple" auth manager implements - and it does not have to be (or even **should not be**) *production ready*. The assumption is that it will **only** be used in development and while it should be "secure by design" - it does not mean that it has to be same as what users had before. But yeah. I think it would be great if that SimpleAutManager reflects 1-1 our [Security Model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html) and reflects the basic roles defined there. And yes "Connection Configuration User" is described as a "role" there and "Viewer" should not have access to configuration of the connections. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
