pierrejeambrun commented on code in PR #42019:
URL: https://github.com/apache/airflow/pull/42019#discussion_r1747016907
##########
airflow/api_ui/app.py:
##########
@@ -32,17 +38,35 @@ def init_dag_bag(app: FastAPI) -> None:
app.state.dag_bag = get_dag_bag()
-def create_app() -> FastAPI:
+def init_flask_app(app: FastAPI, testing: bool = False) -> None:
+ """
+ Auth providers and permission logic are tightly coupled to Flask.
Review Comment:
Just for the sake of it, an example with the `session` backend:
`self.get_user()` will never return anything else than None because the
`get_user` calls `flask_login.current_user`, here is the actual implementation:
```python
def _get_user():
if has_request_context():
if "_login_user" not in g:
current_app.login_manager._load_user()
return g._login_user
return None
```
Once again we need a flask request context that we do not have in our
FastAPI app (and we will most likely never have that because I don't even know
how that would work, FastAPI has its own request lifecycle, and we don't want
to init an extra flask context for each fastapi request)
##########
airflow/api_ui/security.py:
##########
@@ -0,0 +1,106 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import Callable, cast
+
+from fastapi import Depends, HTTPException, Request
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+from typing_extensions import Annotated
+
+from airflow.auth.managers.base_auth_manager import ResourceMethod
+from airflow.auth.managers.models.base_user import BaseUser
+from airflow.auth.managers.models.resource_details import DagAccessEntity,
DagDetails, DatasetDetails
+from airflow.providers.fab.auth_manager.api.auth.backend.basic_auth import
auth_current_user
+from airflow.providers.fab.auth_manager.models import User
+from airflow.www.extensions.init_auth_manager import get_auth_manager
+
+security = HTTPBasic()
+
+
+def method(request: Request) -> ResourceMethod:
+ return cast(ResourceMethod, request.method)
+
+
+def check_authentication(
+ credentials: Annotated[HTTPBasicCredentials, Depends(security)],
+) -> User | None:
+ """Check that the request has valid authorization information."""
+ # TODO:
+ # - Handle other auth backends
+ # - Handle AUTH_ROLE_PUBLIC
+ user = auth_current_user(credentials)
+ if user is not None:
+ return user
+
+ # since this handler only checks authentication, not authorization,
+ # we should always return 401
+ raise HTTPException(401, headers={"WWW-Authenticate": "Basic"})
+
+
+def _requires_access(
+ *,
+ is_authorized_callback: Callable[[], bool],
+) -> None:
+ if not is_authorized_callback():
+ raise HTTPException(403, "Forbidden")
+
+
+def requires_access_dataset(
+ method: Annotated[ResourceMethod, Depends(method)],
+ uri: str | None = None,
+ user: Annotated[BaseUser | None, Depends(check_authentication)] = None,
+) -> None:
+ _requires_access(
+ is_authorized_callback=lambda:
get_auth_manager().is_authorized_dataset(
+ user=user,
+ method=method,
+ details=DatasetDetails(uri=uri),
+ )
+ )
+
+
+def requires_access_dag(access_entity: DagAccessEntity | None = None) ->
Callable:
+ def inner(
+ method: Annotated[ResourceMethod, Depends(method)],
+ dag_id: str | None = None,
+ user: Annotated[BaseUser | None, Depends(check_authentication)] = None,
+ ) -> None:
+ def callback():
+ access = get_auth_manager().is_authorized_dag(
+ method=method, access_entity=access_entity,
details=DagDetails(id=dag_id), user=user
+ )
+
+ # ``access`` means here:
+ # - if a DAG id is provided (``dag_id`` not None): is the user
authorized to access this DAG
+ # - if no DAG id is provided: is the user authorized to access all
DAGs
+ if dag_id or access or access_entity:
+ return access
+
+ # No DAG id is provided, the user is not authorized to access all
DAGs and authorization is done
+ # on DAG level
+ # If method is "GET", return whether the user has read access to
any DAGs
+ # If method is "PUT", return whether the user has edit access to
any DAGs
+ return (method == "GET" and
any(get_auth_manager().get_permitted_dag_ids(methods=["GET"]))) or (
+ method == "PUT" and
any(get_auth_manager().get_permitted_dag_ids(methods=["PUT"]))
+ )
Review Comment:
Just for the sake of it, an example with the `session` backend:
`self.get_user()` will never return anything else than None because the
`get_user` calls `flask_login.current_user`, here is the actual implementation:
```python
def _get_user():
if has_request_context():
if "_login_user" not in g:
current_app.login_manager._load_user()
return g._login_user
return None
```
Once again we need a flask request context that we do not have in our
FastAPI app.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
