aaron-wolmutt commented on PR #58292:
URL: https://github.com/apache/airflow/pull/58292#issuecomment-3576655112
> > > I still do not understand (sorry) how this endpoint could be used to
enable/disable buttons on the UI. Let's take an example. I am a user who has
permission to trigger only the Dag `test`. What would be the response of such
endpoint and how the front-end would handle such response to enable/disable the
button?
> >
> >
> > In the current state: /ui/auth/me is a convenience endpoint to access
the user's information. It is flexible between auth managers. So if you look at
the unit tests, the /ui/auth/me response using SimpleAuthManager would be:
> > ```python
> > def test_should_response_200_with_authenticated_user(self,
test_client):
> > """Test /auth/me endpoint with SimpleAuthManager authenticated
user."""
> > response = test_client.get("/auth/me")
> >
> > assert response.status_code == 200
> > assert response.json() == {
> > "username": "test",
> > "id": "test",
> > "extras": {"sub": "test", "role": "admin"},
> > }
> > ```
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > So minimally, the endpoint can be used at a convenience to display the
username and id in the UI. The role field can be accessed too (ie if the role
is present and equals viewer disable all trigger dag buttons by default).
> > I think the granular permissions-based controls (like in FabAuthManager)
or group controls would go in a different endpoint.
> > Here are the docs for azure web apps /auth/me usage:
https://learn.microsoft.com/en-us/azure/static-web-apps/user-information?tabs=javascript
>
> I am okay with id and username but we should not expose information such
as role, there is no notion of role in Airflow.
The role is included based on the provider auth managers serialize_user()
implementation.
I can remove the extras field completely for the scope of this pull request
(convenience API endpoint for the front end to access the username and user
id).
Will any of the supported auth managers be role based in the future? Or will
airflow only support permissions based (PBAC)? It looks like the Aws and
keycloak auth managers have a groups attribute as well. There is a role
assignment in FAB, but I don't think it's used at all by the front end
```python
class User(Model, BaseUser):
"""Represents an Airflow user which has roles assigned to it."""
__tablename__ = "ab_user"
id: Mapped[int] = mapped_column(
Integer,
Sequence("ab_user_id_seq", start=1, increment=1, minvalue=1,
cycle=False),
primary_key=True,
)
first_name: Mapped[str] = mapped_column(String(64), nullable=False)
last_name: Mapped[str] = mapped_column(String(64), nullable=False)
username: Mapped[str] = mapped_column(
String(512).with_variant(String(512, collation="NOCASE"), "sqlite"),
unique=True, nullable=False
)
password: Mapped[str | None] = mapped_column(String(256))
active: Mapped[bool | None] = mapped_column(Boolean, default=True)
email: Mapped[str] = mapped_column(String(320), unique=True,
nullable=False)
last_login: Mapped[datetime.datetime | None] = mapped_column(DateTime,
nullable=True)
login_count: Mapped[int | None] = mapped_column(Integer, nullable=True)
fail_login_count: Mapped[int | None] = mapped_column(Integer,
nullable=True)
roles: Mapped[list[Role]] = relationship(
"Role",
secondary=assoc_user_role,
backref="user",
lazy="selectin",
passive_deletes=True,
)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
