Skip to content

Create HITL specific permission for core-API #54043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Lee-W merged 5 commits into from
Aug 5, 2025
Merged

Create HITL specific permission for core-API #54043

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
48f31ac
hitl permission draft
sjyangkevin Aug 2, 2025
1a0df75
add RESOURCE_HITL_DETAIL and make it a DagAccessEntity
sjyangkevin Aug 2, 2025
2cf6140
configure permissions
sjyangkevin Aug 3, 2025
aed33cf
import and register RESOURCE_HITL_DETAIL only after 3.1.0, and remove…
sjyangkevin Aug 4, 2025
fffaeea
make and fab auth manager import and test file import version compati…
sjyangkevin Aug 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions airflow-core/src/airflow/api_fastapi/auth/managers/models/resource_details.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ class DagAccessEntity(Enum):
AUDIT_LOG = "AUDIT_LOG"
CODE = "CODE"
DEPENDENCIES = "DEPENDENCIES"
HITL_DETAIL = "HITL_DETAIL"
RUN = "RUN"
TASK = "TASK"
TASK_INSTANCE = "TASK_INSTANCE"
Expand Down
10 changes: 5 additions & 5 deletions airflow-core/src/airflow/api_fastapi/core_api/routes/public/hitl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ def _get_hitl_detail(
status.HTTP_409_CONFLICT,
]
),
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.TASK_INSTANCE))],
dependencies=[Depends(requires_access_dag(method="PUT", access_entity=DagAccessEntity.HITL_DETAIL))],
)
def update_hitl_detail(
dag_id: str,
Expand Down Expand Up @@ -203,7 +203,7 @@ def update_hitl_detail(
status.HTTP_409_CONFLICT,
]
),
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.TASK_INSTANCE))],
dependencies=[Depends(requires_access_dag(method="PUT", access_entity=DagAccessEntity.HITL_DETAIL))],
)
def update_mapped_ti_hitl_detail(
dag_id: str,
Expand All @@ -230,7 +230,7 @@ def update_mapped_ti_hitl_detail(
"/{dag_id}/{dag_run_id}/{task_id}",
status_code=status.HTTP_200_OK,
responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.TASK_INSTANCE))],
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.HITL_DETAIL))],
)
def get_hitl_detail(
dag_id: str,
Expand All @@ -252,7 +252,7 @@ def get_hitl_detail(
"/{dag_id}/{dag_run_id}/{task_id}/{map_index}",
status_code=status.HTTP_200_OK,
responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.TASK_INSTANCE))],
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.HITL_DETAIL))],
)
def get_mapped_ti_hitl_detail(
dag_id: str,
Expand All @@ -274,7 +274,7 @@ def get_mapped_ti_hitl_detail(
@hitl_router.get(
"/",
status_code=status.HTTP_200_OK,
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.TASK_INSTANCE))],
dependencies=[Depends(requires_access_dag(method="GET", access_entity=DagAccessEntity.HITL_DETAIL))],
)
def get_hitl_details(
limit: QueryLimit,
Expand Down
1 change: 1 addition & 0 deletions providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@
from airflow.providers.fab.www.security.permissions import RESOURCE_HITL_DETAIL

_MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE[MenuItem.REQUIRED_ACTIONS] = RESOURCE_HITL_DETAIL
_MAP_DAG_ACCESS_ENTITY_TO_FAB_RESOURCE_TYPE[DagAccessEntity.HITL_DETAIL] = (RESOURCE_HITL_DETAIL,)


class FabAuthManager(BaseAuthManager[User]):
Expand Down
86 changes: 86 additions & 0 deletions providers/fab/tests/unit/fab/auth_manager/test_fab_auth_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,62 @@
RESOURCE_WEBSITE,
)

from tests_common.test_utils.version_compat import AIRFLOW_V_3_1_PLUS

if AIRFLOW_V_3_1_PLUS:
from airflow.providers.fab.www.security.permissions import RESOURCE_HITL_DETAIL

HITL_ENDPOINT_TESTS = [
# With global permissions on Dags, but no permission on HITL Detail
(
"GET",
DagAccessEntity.HITL_DETAIL,
None,
[(ACTION_CAN_READ, RESOURCE_DAG)],
False,
),
# With global permissions on Dags, but no permission on HITL Detail
(
"PUT",
DagAccessEntity.HITL_DETAIL,
None,
[(ACTION_CAN_READ, RESOURCE_DAG)],
False,
),
# With global permissions on Dags, with read permission on HITL Detail
(
"GET",
DagAccessEntity.HITL_DETAIL,
None,
[(ACTION_CAN_READ, RESOURCE_DAG), (ACTION_CAN_READ, RESOURCE_HITL_DETAIL)],
True,
),
# With global permissions on Dags, with read permission on HITL Detail, but wrong method
(
"PUT",
DagAccessEntity.HITL_DETAIL,
None,
[(ACTION_CAN_READ, RESOURCE_DAG), (ACTION_CAN_READ, RESOURCE_HITL_DETAIL)],
False,
),
# With global permissions on Dags, with write permission on HITL Detail, but wrong method
(
"GET",
DagAccessEntity.HITL_DETAIL,
None,
[(ACTION_CAN_READ, RESOURCE_DAG), (ACTION_CAN_EDIT, RESOURCE_HITL_DETAIL)],
False,
),
# With global permissions on Dags, with edit permission on HITL Detail
(
"PUT",
DagAccessEntity.HITL_DETAIL,
None,
[(ACTION_CAN_READ, RESOURCE_DAG), (ACTION_CAN_EDIT, RESOURCE_HITL_DETAIL)],
True,
),
]

if TYPE_CHECKING:
from airflow.api_fastapi.auth.managers.base_auth_manager import ResourceMethod

Expand Down Expand Up @@ -468,6 +524,36 @@ def test_is_authorized_dag(
)
assert result == expected_result

@pytest.mark.skipif(
AIRFLOW_V_3_1_PLUS is not True, reason="HITL test will be skipped if Airflow version < 3.1.0"
)
@pytest.mark.parametrize(
"method, dag_access_entity, dag_details, user_permissions, expected_result",
HITL_ENDPOINT_TESTS if AIRFLOW_V_3_1_PLUS else [],
)
@mock.patch.object(FabAuthManager, "get_authorized_dag_ids")
def test_is_authorized_dag_hitl_detail(
self,
mock_get_authorized_dag_ids,
method,
dag_access_entity,
dag_details,
user_permissions,
expected_result,
auth_manager_with_appbuilder,
):
dag_permissions = [perm[1] for perm in user_permissions if perm[1].startswith("DAG:")]
dag_ids = {perm.replace("DAG:", "") for perm in dag_permissions}
mock_get_authorized_dag_ids.return_value = dag_ids

user = Mock()
user.perms = user_permissions
user.id = 1
result = auth_manager_with_appbuilder.is_authorized_dag(
method=method, access_entity=dag_access_entity, details=dag_details, user=user
)
assert result == expected_result

@pytest.mark.parametrize(
"access_view, user_permissions, expected_result",
[
Expand Down
Loading