aaron-wolmutt commented on issue #57966: URL: https://github.com/apache/airflow/issues/57966#issuecomment-3576954496
> > he downside of this solution is we need to create many new endpoints, even though the implementation of these endpoints would be pretty thin. [@pierrejeambrun](https://github.com/pierrejeambrun) > > Interesting. I think we definitely need a way to call the backend to know if we have permissions or not to achieve something. > > I'm not a big fan of having a multitude of option endpoints to get those permissions but this makes me think of something related. > > To what extend is that possible to have a `meta permission endpoint`, that accept a list of permissions object and returns true/false for each of them. > > Example, we can pass `[(method, access_entity, entity_id), ...]`, i.e `[(POST, DagAccessEntity.RUN, test_id)]`, to know if I can trigger this dag. If in the same page I can also update a RUN, I can pass alongside the `[(POST, DagAccessEntity.RUN, test_id), (PUT, DagAccessEntity.RUN, run_id)]`. > > We can refine the structure, but that's the idea. I like the idea of having role-based authorization available in addition to the permissions based as a convenience. So, the trigger DAG button is disabled by default if the user is assigned a role, and that role is viewer. Otherwise (or if the role is higher privilege), fallback to the permissions-based API. I am trying to discuss the API convenience in this PR #58292 Is Fab the only permissions based authorization or are there other auth managers that have permissions based? It looks like permissions based is already started in the /ui/auth routes. Some unit testing from airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_auth.py airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_auth.py ``` class TestGetAuthLinks: @mock.patch("airflow.api_fastapi.core_api.routes.ui.auth.get_auth_manager") def test_should_response_200(self, mock_get_auth_manager, test_client): mock_get_auth_manager.return_value.get_authorized_menu_items.return_value = [ MenuItem.VARIABLES, MenuItem.CONNECTIONS, ] mock_get_auth_manager.return_value.get_extra_menu_items.return_value = [ ExtraMenuItem(text="name1", href="path1"), ExtraMenuItem(text="name2", href="path2"), ] response = test_client.get("/auth/menus") assert response.status_code == 200 assert response.json() == { "authorized_menu_items": ["Variables", "Connections"], "extra_menu_items": [ {"text": "name1", "href": "path1"}, {"text": "name2", "href": "path2"}, ], } def test_with_unauthenticated_user(self, unauthenticated_test_client): response = unauthenticated_test_client.get("/auth/menus") assert response.status_code == 401 assert response.json() == {"detail": "Not authenticated"} @mock.patch.object(SimpleAuthManager, "filter_authorized_menu_items", return_value=[]) def test_with_unauthorized_user(self, _, unauthorized_test_client): response = unauthorized_test_client.get("/auth/menus") assert response.status_code == 200 assert response.json() == {"authorized_menu_items": [], "extra_menu_items": []} ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
