pierrejeambrun commented on code in PR #42019: URL: https://github.com/apache/airflow/pull/42019#discussion_r1746994315
########## airflow/api_ui/security.py: ########## @@ -0,0 +1,106 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +from typing import Callable, cast + +from fastapi import Depends, HTTPException, Request +from fastapi.security import HTTPBasic, HTTPBasicCredentials +from typing_extensions import Annotated + +from airflow.auth.managers.base_auth_manager import ResourceMethod +from airflow.auth.managers.models.base_user import BaseUser +from airflow.auth.managers.models.resource_details import DagAccessEntity, DagDetails, DatasetDetails +from airflow.providers.fab.auth_manager.api.auth.backend.basic_auth import auth_current_user +from airflow.providers.fab.auth_manager.models import User +from airflow.www.extensions.init_auth_manager import get_auth_manager + +security = HTTPBasic() + + +def method(request: Request) -> ResourceMethod: + return cast(ResourceMethod, request.method) + + +def check_authentication( + credentials: Annotated[HTTPBasicCredentials, Depends(security)], +) -> User | None: + """Check that the request has valid authorization information.""" + # TODO: + # - Handle other auth backends + # - Handle AUTH_ROLE_PUBLIC + user = auth_current_user(credentials) + if user is not None: + return user + + # since this handler only checks authentication, not authorization, + # we should always return 401 + raise HTTPException(401, headers={"WWW-Authenticate": "Basic"}) + + +def _requires_access( + *, + is_authorized_callback: Callable[[], bool], +) -> None: + if not is_authorized_callback(): + raise HTTPException(403, "Forbidden") + + +def requires_access_dataset( + method: Annotated[ResourceMethod, Depends(method)], + uri: str | None = None, + user: Annotated[BaseUser | None, Depends(check_authentication)] = None, +) -> None: + _requires_access( + is_authorized_callback=lambda: get_auth_manager().is_authorized_dataset( + user=user, + method=method, + details=DatasetDetails(uri=uri), + ) + ) + + +def requires_access_dag(access_entity: DagAccessEntity | None = None) -> Callable: + def inner( + method: Annotated[ResourceMethod, Depends(method)], + dag_id: str | None = None, + user: Annotated[BaseUser | None, Depends(check_authentication)] = None, + ) -> None: + def callback(): + access = get_auth_manager().is_authorized_dag( + method=method, access_entity=access_entity, details=DagDetails(id=dag_id), user=user + ) + + # ``access`` means here: + # - if a DAG id is provided (``dag_id`` not None): is the user authorized to access this DAG + # - if no DAG id is provided: is the user authorized to access all DAGs + if dag_id or access or access_entity: + return access + + # No DAG id is provided, the user is not authorized to access all DAGs and authorization is done + # on DAG level + # If method is "GET", return whether the user has read access to any DAGs + # If method is "PUT", return whether the user has edit access to any DAGs + return (method == "GET" and any(get_auth_manager().get_permitted_dag_ids(methods=["GET"]))) or ( + method == "PUT" and any(get_auth_manager().get_permitted_dag_ids(methods=["PUT"])) + ) Review Comment: I understand your point and this makes sense. I do not have any strong opinion on that because I feel like both approach can be justified depending on how we want to build our permission model. In its original form, if a user request ressources 1, 2 and 3. If he is missing permissions on one of those ressources I can understand that the request is denied because he is basically forbidden from making that request. Failing silently could have some weird user implications, for instance we return only the thing that you actually have access to i.e 1 and 2. Then the request is successful (200) from a user point of viwe, but actually only contains partially the information that the user needs. The user has no other way than checking the entire content of the request to see if he is missing some informations or not. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
