Re: [PR] AIP-84 - Add Auth for Assets [airflow]

via GitHub Fri, 28 Feb 2025 09:13:16 -0800


pierrejeambrun commented on code in PR #47136:
URL: https://github.com/apache/airflow/pull/47136#discussion_r1975745944



##########
airflow/api_fastapi/core_api/routes/public/assets.py:
##########
@@ -440,7 +449,7 @@ def delete_asset_queued_events(
             status.HTTP_404_NOT_FOUND,
         ]
     ),
-    dependencies=[Depends(action_logging())],
+    dependencies=[Depends(requires_access_asset(method="DELETE")), 
Depends(action_logging())],

Review Comment:
   Missing dag access GET ? 



##########
tests/api_fastapi/core_api/routes/public/test_dag_run.py:
##########
@@ -1073,6 +1073,12 @@ def test_should_respond_200(self, test_client, 
dag_maker, session):
         }
         assert response.json() == expected_response
 
+    def test_should_respond_401(self, unauthenticated_test_client):
+        response = unauthenticated_test_client.get(
+            
"/public/dags/TEST_DAG_ID/dagRuns/TEST_DAG_RUN_ID/upstreamAssetEvents",
+        )
+        assert response.status_code == 401
+

Review Comment:
   Why no 403 here ? 



##########
airflow/api_fastapi/core_api/security.py:
##########
@@ -82,6 +82,23 @@ def callback():
     return inner
 
 
+def requires_access_asset(method: ResourceMethod) -> Callable:
+    def inner(
+        uri: str | None = None,
+        user: Annotated[BaseUser | None, Depends(get_user)] = None,
+    ) -> None:
+        def callback():
+            return get_auth_manager().is_authorized_asset(
+                method=method, details=AssetDetails(uri=uri), user=user
+            )
+
+        _requires_access(
+            is_authorized_callback=callback,

Review Comment:
   Something I don't understand, where is handled the part where `uri` is 
`None` and therefore we need access on 'all' assets ? 



##########
airflow/api_fastapi/core_api/routes/public/assets.py:
##########
@@ -465,7 +474,7 @@ def delete_dag_asset_queued_events(
             status.HTTP_404_NOT_FOUND,
         ]
     ),
-    dependencies=[Depends(action_logging())],
+    dependencies=[Depends(requires_access_asset(method="DELETE")), 
Depends(action_logging())],

Review Comment:
   missing dag access "GET" ? 



##########
airflow/api_fastapi/core_api/routes/public/dag_run.py:
##########
@@ -189,6 +190,7 @@ def patch_dag_run(
             status.HTTP_404_NOT_FOUND,
         ]
     ),
+    dependencies=[Depends(requires_access_asset(method="GET"))],

Review Comment:
   Add a todo, we need also `@security.requires_access_dag("GET", 
DagAccessEntity.RUN)` 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] AIP-84 - Add Auth for Assets [airflow]

Reply via email to