[GitHub] [airflow] ashb commented on a change in pull request #10594: WIP: Add permissions for stable API

Fri, 04 Sep 2020 10:31:18 -0700 


ashb commented on a change in pull request #10594:
URL: https://github.com/apache/airflow/pull/10594#discussion_r483761513



##########
File path: airflow/api_connexion/security.py
##########
@@ -16,25 +16,63 @@
 # under the License.
 
 from functools import wraps
-from typing import Callable, TypeVar, cast
+from typing import Callable, Optional, Sequence, Tuple, TypeVar, cast
 
 from flask import Response, current_app
 
-from airflow.api_connexion.exceptions import Unauthenticated
+from airflow.api_connexion.exceptions import PermissionDenied, Unauthenticated
 
 T = TypeVar("T", bound=Callable)  # pylint: disable=invalid-name
 
 
-def requires_authentication(function: T):
-    """Decorator for functions that require authentication"""
+def check_authentication():
+    """Checks that the request has valid authorization information."""
+    response = current_app.api_auth.requires_authentication(Response)()
+    if response.status_code != 200:
+        # since this handler only checks authentication, not authorization,
+        # we should always return 401
+        raise Unauthenticated(headers=response.headers)
 
-    @wraps(function)
-    def decorated(*args, **kwargs):
-        response = current_app.api_auth.requires_authentication(Response)()
-        if response.status_code != 200:
-            # since this handler only checks authentication, not authorization,
-            # we should always return 401
-            raise Unauthenticated(headers=response.headers)
-        return function(*args, **kwargs)
 
-    return cast(T, decorated)
+def check_authorization(
+    permissions: Optional[Sequence[Tuple[str, str]]] = None, dag_id: 
Optional[int] = None
+):
+    """Checks that the logged in user has the specified permissions."""
+
+    if not permissions:
+        return
+
+    appbuilder = current_app.appbuilder
+    for permission in permissions:
+        if permission in (('can_read', 'Dag'), ('can_edit', 'Dag')):

Review comment:
       Should we check dag level permissions for DagRun/TaskInstance too?
   
   Perhaps anywhere we have a `dag_id` named parameter?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to