Fix permission check on the ui config endpoint #50564
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jedcunningham
requested review from
bugraoz93,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar and
shubhamraj-git
as code owners
This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all. So, instead we just check that the user is authenticated at all.
jedcunningham
force-pushed
the
fix_ui_without_config_read
branch
from
c56f7d6 to
ff5d0ee
Compare
jedcunningham
commented
May 13, 2025
vincbeck
approved these changes
May 13, 2025
bugraoz93
approved these changes
May 14, 2025
jason810496
reviewed
May 14, 2025
Member
jason810496
left a comment
jason810496
left a comment
There was a problem hiding this comment.
Middleware is applying to all endpoints, right? In this case, we may want to limit if the endpoint is /config.
IMHO, the current requires_authenticated authorization dependency is still more appropriate than using middleware. Middleware is better suited when all routes require the same condition, but in our case, we only want to limit access to the /config endpoint.
Alternatively, using _: GetUserDep directly in the route might be simpler.
I just checked that all UI endpoints use requires_access_<entity> dependencies, except for get_auth_menus, which uses user: GetUserDep.
pierrejeambrun
approved these changes
May 14, 2025
Member
pierrejeambrun
left a comment
pierrejeambrun
left a comment
There was a problem hiding this comment.
Looks good to me.
With the current usage I think the dependency is more convenient than a whole Middleware just for 1 route.
Beside the small nits mentioned above. (GetUserDep)
Co-authored-by: LIU ZHE YOU <68415893+jason810496@users.noreply.github.com>
pierrejeambrun
added
the
backport-to-v3-1-test
Member
Author
|
Merging, failure is unrelated and already fixed. |
github-actions bot
pushed a commit
that referenced
this pull request
May 14, 2025
This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all. So, instead we just check that the user is authenticated at all. (cherry picked from commit 0dad2bb) Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> Co-authored-by: LIU ZHE YOU <68415893+jason810496@users.noreply.github.com>
Backport successfully created: v3-0-test
|
github-actions bot
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
May 14, 2025
) This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all. So, instead we just check that the user is authenticated at all. (cherry picked from commit 0dad2bb) Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> Co-authored-by: LIU ZHE YOU <68415893+jason810496@users.noreply.github.com>
pierrejeambrun
pushed a commit
that referenced
this pull request
May 15, 2025
…50619) This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all. So, instead we just check that the user is authenticated at all. (cherry picked from commit 0dad2bb) Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> Co-authored-by: LIU ZHE YOU <68415893+jason810496@users.noreply.github.com>
kaxil
pushed a commit
that referenced
this pull request
Jun 3, 2025
…50619) This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all. So, instead we just check that the user is authenticated at all. (cherry picked from commit 0dad2bb) Co-authored-by: Jed Cunningham <66968678+jedcunningham@users.noreply.github.com> Co-authored-by: LIU ZHE YOU <68415893+jason810496@users.noreply.github.com>
sanederchik
pushed a commit
to sanederchik/airflow
that referenced
this pull request
Jun 7, 2025
This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all. So, instead we just check that the user is authenticated at all. Co-authored-by: LIU ZHE YOU <68415893+jason810496@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is just config for the UI, not the whole Airflow instances config, which is what the config permission for users controls. If the user doesn't have the config permission, without this change, the user cannot use the UI at all.
So, instead we just check that the user is authenticated at all.
You can reproduce the issue by using this auth manager: