potiuk commented on issue #57966:
URL: https://github.com/apache/airflow/issues/57966#issuecomment-3599529059
> I was thinking that the call would happen after login. So, the user
authenticates, the /ui/auth/meta/permissions API is called, then an
authorization object persisted to local storage.
Yeah. @aaron-wolmutt -> I think you did not really grasp the way how Auth
Manager works. We have (and that's a deliberate decision) no single place where
we keep all permissions that user has. This is delegated to the AuthManager and
we just ask if we can do "this thing". And we **always** query "can I do THAT?"
before we do THAT (this can be cached by Auth Manager, but it's totally
dependent on implementation of the Auth Manager and is only possible if there
is no **dynamic** THAT permission.
The thing is that the THAT can contain (dag_id) for example. There might be
completely different answer from the Auth Manager when you ask:
* Can I trigger Dag A
* Can I trigger Dag B
And the logic which Dags can be triggered can be arbitrary complex and fully
implemented in the Auth Manager implementation. For example in LDAP Auth
Manager you could have separate database for:
* users
* departments
* dags
The department can be taken from some [LDAP
attribute](https://www.ibm.com/docs/en/cip?topic=api-user-identity-attributes)
- for example `departmentNumber` to get your department, and ten you can query
dag list to see which dags are assigned to which departments. This is
**entirely** dependent on the Auth Manager implementation, how complex and
flexible it is. But eventually if you have 100.000 Dags - you would have to
retrieve and cache 100.000 values "Can I trigger Dag X" for each user - and
retrieve them right after login. Simply "permission" query contains also
"resource id" as parameter - and result of the query can be different for each
"resource".
There is simply no "fixed" set of permission + resource combinations that
user can enumerate effectively. This is why you need to query (Can I Trigger
Dag 123) **just about** when you are going to show "Trigger Dag 123" button.
You should also optimise such call for dag list - by being able to have one
"Can I trigger Dags" fo all (say) 20 Dags you are about to display - and return
the answer in one response for all 20 of them.
But you cannot have "all permissions" for "all dags" combination. That would
be just infeasible and require huge queries to backend (say LDAP) when you want
to retrieve all those.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
