Re: [PR] AIP-84 - Add Auth for Assets [airflow]

Mon, 03 Mar 2025 02:00:25 -0800 


pierrejeambrun commented on code in PR #47136:
URL: https://github.com/apache/airflow/pull/47136#discussion_r1977198899


##########
airflow/api_fastapi/core_api/openapi/v1-generated.yaml:
##########
@@ -528,7 +528,17 @@ paths:
       summary: Get Assets
       description: Get assets.
       operationId: get_assets
+      security:
+      - OAuth2PasswordBearer: []
       parameters:
+      - name: asset_id
+        in: query
+        required: false
+        schema:
+          anyOf:
+          - type: string
+          - type: 'null'
+          title: Asset Id

Review Comment:
   I don't think such routes should define a new `asset_id` query param. It 
doesn't make any sense for them to do so. We should be able to have another 
permission function that does not take an `asset_id` and default it to None 
directly, so we can specify it for `list` endpoint like this. 



##########
airflow/api_fastapi/core_api/routes/public/dag_run.py:
##########
@@ -189,6 +190,7 @@ def patch_dag_run(
             status.HTTP_404_NOT_FOUND,
         ]
     ),
+    dependencies=[Depends(requires_access_asset(method="GET"))],

Review Comment:
   Yes, I would still be in favor of at least adding a `TODO` comment so we do 
not forget about it.



##########
airflow/auth/managers/models/resource_details.py:
##########
@@ -46,7 +46,7 @@ class DagDetails:
 class AssetDetails:
     """Represents the details of an asset."""
 
-    uri: str | None = None
+    id: str | None = None

Review Comment:
   I think this will break AF2 model, but this will be deleted soon. 
   
   @vincbeck just need to validate the auth manager changes.



##########
airflow/api_fastapi/core_api/security.py:
##########
@@ -82,6 +82,23 @@ def callback():
     return inner
 
 
+def requires_access_asset(method: ResourceMethod) -> Callable:
+    def inner(
+        asset_id: str | None = None,
+        user: Annotated[BaseUser | None, Depends(get_user)] = None,
+    ) -> None:
+        def callback():
+            return get_auth_manager().is_authorized_asset(
+                method=method, details=AssetDetails(id=asset_id), user=user
+            )
+
+        _requires_access(
+            is_authorized_callback=callback,
+        )
+
+    return inner

Review Comment:
   Maybe something like:
   ```python
   def requires_access_assets(method: ResourceMethod) -> Callable:
       def inner(
               user: Annotated[BaseUser | None, Depends(get_user)] = None,
       ) -> None:
           def callback():
               return get_auth_manager().is_authorized_asset(
                   method=method, details=AssetDetails(id=None), user=user
               )
   
           _requires_access(
               is_authorized_callback=callback,
           )
   
       return inner
   ```
   
   So we do not define an extra `asset_id` param for endpoint that do not take 
an `asset_id` param. (listing assets and all)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to