jason810496 commented on code in PR #59399:
URL: https://github.com/apache/airflow/pull/59399#discussion_r2616899037
##########
providers/amazon/src/airflow/providers/amazon/aws/auth_manager/aws_auth_manager.py:
##########
@@ -247,6 +248,14 @@ def _has_access_to_menu_item(request: IsAuthorizedRequest):
return [menu_item for menu_item in menu_items if
_has_access_to_menu_item(requests[menu_item.value])]
+ def is_allowed(self, user_id: str, assigned_users: Sequence[HITLUser]) ->
bool:
+ """
+ Check if a user is allowed to approve/reject a HITL task.
+
+ User must be in assigned_users list.
+ """
+ return any(user["id"] == user_id for user in assigned_users)
Review Comment:
How about moving the `any(user["id"] == user_id for user in assigned_users)`
condition to `BaseAuthManager`? So that AWS, FAB, KeyCloak manger could reuse
it and only SimpleAuthManger need to override the logic.
##########
airflow-core/src/airflow/api_fastapi/auth/managers/base_auth_manager.py:
##########
@@ -347,6 +348,15 @@ def filter_authorized_menu_items(self, menu_items:
list[MenuItem], *, user: T) -
:param user: the user
"""
+ @abstractmethod
+ def is_allowed(self, user_id: str, assigned_users: Sequence[HITLUser]) ->
bool:
+ """
+ Check if a user is allowed to approve/reject a HITL task.
+
+ :param user_id: the user id to check
+ :param assigned_users: list of users assigned to the task
+ """
Review Comment:
Would it be better to rename the method as `is_authorized_hitl_task`? Since
`is_allowed` might be too ambiguous for the whole Auth Manger context.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
