Skip to content

AIP 84 - Add auth for asset alias #47241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Lee-W merged 13 commits into from
Mar 10, 2025
Merged

AIP 84 - Add auth for asset alias #47241

Lee-W merged 13 commits into from
Mar 10, 2025

Conversation

@rawwar
Copy link
Contributor

@rawwar rawwar commented Mar 1, 2025

related to #42360

@boring-cyborg boring-cyborg bot added area:API Airflow's REST/HTTP API area:UI Related to UI/UX. For Frontend Developers. labels Mar 1, 2025
jason810496
jason810496 reviewed Mar 1, 2025
View reviewed changes
@rawwar rawwar mentioned this pull request Mar 3, 2025
Merged
1 task
@jedcunningham jedcunningham added the AIP-84 Modern Rest API label Mar 4, 2025
@Lee-W Lee-W mentioned this pull request Mar 6, 2025
Closed
47 tasks
@rawwar
Copy link
Contributor Author

rawwar commented Mar 7, 2025

@vincbeck , Since we are now exposing AssetAlias, both AWS auth manager and FAB need to implement is_authorized_asset_alias. Can I add them separately in a different PR or should I covert them here?

@rawwar rawwar marked this pull request as ready for review March 7, 2025 15:52
@rawwar
Copy link
Contributor Author

rawwar commented Mar 7, 2025

"Get alias" and "Get aliases" just show Id, name and group. No details regarding an asset. So, I think there's no need to check if the user has access to the asset referred by these aliases.

wdyt, @Lee-W , @uranusjr

@vincbeck
Copy link
Contributor

vincbeck commented Mar 7, 2025

@vincbeck , Since we are now exposing AssetAlias, both AWS auth manager and FAB need to implement is_authorized_asset_alias. Can I add them separately in a different PR or should I covert them here?

You have to, otherwise mypy will not be happy

vincbeck
vincbeck reviewed Mar 7, 2025
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good. Could you please add unit tests?

@rawwar
Copy link
Contributor Author

rawwar commented Mar 7, 2025
edited
Loading

failed tests do not seem to be related to the changes in this PR.

@vincbeck , can you please retrigger just the failed boto test?

@rawwar rawwar requested review from jason810496 and vincbeck March 7, 2025 18:56
@vincbeck
Copy link
Contributor

vincbeck commented Mar 7, 2025

failed tests do not seem to be related to the changes in this PR.

@vincbeck , can you please retrigger just the failed boto test?

#47512 is the fix

vincbeck
vincbeck reviewed Mar 7, 2025
View reviewed changes
@rawwar rawwar requested a review from vincbeck March 8, 2025 09:52
@uranusjr
Copy link
Member

uranusjr commented Mar 10, 2025

"Get alias" and "Get aliases" just show Id, name and group. No details regarding an asset. So, I think there's no need to check if the user has access to the asset referred by these aliases.

I agree with Get Alias(es) do not need to check asset perm. However, we probably should check alias perms in Get Asset(s) since it shows a list of aliases an asset is associated to. The list should only contain aliases the user has access to.

(This brings up the question if the alias responses should also include a list of associated assets, but that’s a question for another day, and perm check should be added to it if that’s implemented.)

@Lee-W
Copy link
Member

Lee-W commented Mar 10, 2025

"Get alias" and "Get aliases" just show Id, name and group. No details regarding an asset. So, I think there's no need to check if the user has access to the asset referred by these aliases.

I agree with Get Alias(es) do not need to check asset perm. However, we probably should check alias perms in Get Asset(s) since it shows a list of aliases an asset is associated to. The list should only contain aliases the user has access to.

(This brings up the question if the alias responses should also include a list of associated assets, but that’s a question for another day, and perm check should be added to it if that’s implemented.)

Agree. I think the idea is to ensure that users only access the objects they have permissions for. For the asset endpoint, if we return its alias, we should check the alias permission and vice versa.

@pierrejeambrun
Copy link
Member

pierrejeambrun commented Mar 10, 2025

If I understand correctly that is good from an asset_alias endpoints point of views (TP + Wei) as well as from the AuthManager permissions (vincent).

The only thing missing is to add AssetAlias permission check on Asset endpoints ? (I think we can do that in a followup PR, this one focus on asset aliases and it seems to be completed ?)

Lee-W
Lee-W approved these changes Mar 10, 2025
View reviewed changes
Copy link
Member

@Lee-W Lee-W left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, this PR only get asset alias itself without resolving it into assets.

@Lee-W Lee-W merged commit 1e2660b into apache:main Mar 10, 2025
89 checks passed
@rawwar rawwar mentioned this pull request Mar 10, 2025
Closed
2 tasks
@pierrejeambrun pierrejeambrun mentioned this pull request Mar 11, 2025
Merged
@eladkal eladkal mentioned this pull request Mar 26, 2025
Closed
nailo2c pushed a commit to nailo2c/airflow that referenced this pull request Apr 4, 2025
@rawwar @nailo2c
AIP 84 - Add auth for asset alias (apache#47241)
9b12505 
* init auth for asset alias

* update requires_access_asset_alias

* add assetalias related code to fab and AAM

* add RESOURCE_ASSET_ALIAS

* add RESOURCE_ASSET_ALIAS

* add tests

* fix fab tests

* add tests base and simple am
This was referenced Apr 6, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck left review comments

@Lee-W Lee-W Lee-W approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy

@eladkal eladkal Awaiting requested review from eladkal

@o-nikolas o-nikolas Awaiting requested review from o-nikolas o-nikolas is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496

Assignees

No one assigned

Labels

AIP-84 Modern Rest API area:API Airflow's REST/HTTP API area:UI Related to UI/UX. For Frontend Developers.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@rawwar @vincbeck @uranusjr @Lee-W @pierrejeambrun @jason810496 @jedcunningham