Update is_authorized_dag method in FabAuthManager
#54926
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vincbeck
requested review from
bugraoz93,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar and
shubhamraj-git
as code owners
boring-cyborg
bot
added
area:API
vincbeck
force-pushed
the
vincbeck/fab_list_perms
branch
from
5c673a2 to
b9f7808
Compare
o-nikolas
reviewed
Aug 25, 2025
providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py
Outdated
Show resolved
Hide resolved
providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py
Show resolved
Hide resolved
…manager.py Co-authored-by: Niko Oliveira <onikolas@amazon.com>
vincbeck
force-pushed
the
vincbeck/fab_list_perms
branch
from
59bcf28 to
e360e2c
Compare
o-nikolas
approved these changes
Aug 26, 2025
Contributor
o-nikolas
left a comment
o-nikolas
left a comment
There was a problem hiding this comment.
Not my area of expertise, but the code seems reasonable.
This was referenced Aug 27, 2025
bugraoz93
approved these changes
Aug 28, 2025
Contributor
Author
|
Please do not merge before @pierrejeambrun approval, I'd like to have it before merging :) |
pierrejeambrun
approved these changes
Sep 1, 2025
Member
pierrejeambrun
left a comment
pierrejeambrun
left a comment
There was a problem hiding this comment.
Makes sense to me, thanks Vincent!
Just one question for my own understanding.
RoyLee1224
pushed a commit
to RoyLee1224/airflow
that referenced
this pull request
Sep 8, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Sep 30, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 1, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 2, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 3, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 4, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 5, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 5, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 7, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 8, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 9, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 10, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 11, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 12, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 14, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 15, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 17, 2025
abdulrahman305 bot
pushed a commit
to abdulrahman305/airflow
that referenced
this pull request
Oct 19, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #53936.
Follow-up of #54197.
The way
FabAuthManagerchecks for Dag permission is partially broken in multiple ways:get_authorized_dag_ids(which returns the list of Dags the user is authorized to access) and checking whether this list is not empty. Even though this is not strictly wrong, it is not good either. A more robust solution proposed by @pierrejeambrun (see thread here for more information about the solution but also the reason why it is better) is to check whether the user has either access to all Dags or at least one dag permission withRESOURCE_DAG_PREFIXRESOURCE_DAG_RUN_PREFIXbecause I think this is very wrong. The purpose of this constant (value isDAG Run:) is to be able to give access to Dag runs of specific Dags. Example: To give read access to userXof Dag runs of Dagtest, I can add to the user's permissions(CAN_READ, DAG Run:test). But this is possible without this constant, using the same example, to grant the user access to Dagtestruns, you can give them(CAN_READ, Dag:test)and(CAN_READ, RESOURCE_DAG_RUN).^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.