Re: [PR] AIP-84 Add Auth for backfill [airflow]

Tue, 11 Mar 2025 07:34:06 -0700 


vincbeck commented on code in PR #47482:
URL: https://github.com/apache/airflow/pull/47482#discussion_r1989428990


##########
providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py:
##########
@@ -234,6 +243,7 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
         (permissions.ACTION_CAN_READ, RESOURCE_ASSET),
         (permissions.ACTION_CAN_READ, RESOURCE_ASSET_ALIAS),
+        (permissions.ACTION_CAN_READ, RESOURCE_BACKFILL),

Review Comment:
   Other permissions than READ need to be added to the OP role. This is 
something that has been forgotten for AssetAlias, I'll comment on the PR



##########
airflow/api_fastapi/core_api/routes/public/backfills.py:
##########
@@ -149,7 +153,10 @@ def unpause_backfill(backfill_id, session: SessionDep) -> 
BackfillResponse:
             status.HTTP_409_CONFLICT,
         ]
     ),
-    dependencies=[Depends(action_logging())],
+    dependencies=[
+        Depends(action_logging()),

Review Comment:
   Why some endpoints have `Depends(action_logging())` and some have not?



##########
providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py:
##########
@@ -312,6 +322,11 @@ def is_authorized_dag(
                 for resource_type in resource_types
             )
 
+    def is_authorized_backfill(

Review Comment:
   Please create unit test



##########
providers/amazon/src/airflow/providers/amazon/aws/auth_manager/aws_auth_manager.py:
##########
@@ -154,6 +155,14 @@ def is_authorized_dag(
             context=context,
         )
 
+    def is_authorized_backfill(

Review Comment:
   Please create unit test



##########
airflow/api_fastapi/core_api/routes/public/backfills.py:
##########
@@ -108,6 +110,7 @@ def get_backfill(
             status.HTTP_409_CONFLICT,
         ]
     ),
+    dependencies=[Depends(requires_access_dag(method="PUT", 
access_entity=DagAccessEntity.RUN))],

Review Comment:
   Use `requires_access_backfill` instead?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to