Skip to content

Fix ApprovalOperator with SimpleAuthManager when all_admins=True #59399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Lee-W merged 9 commits into from
Jan 5, 2026
Merged

Fix ApprovalOperator with SimpleAuthManager when all_admins=True #59399

Lee-W merged 9 commits into from
Jan 5, 2026

Conversation

@TempestShaw
Copy link
Contributor

@TempestShaw TempestShaw commented Dec 14, 2025

Fixes #59348. Added is_allowed() method to BaseAuthManager and all
implementations to properly delegate HITL permission checks.

  • SimpleAuthManager: Returns True when simple_auth_manager_all_admins=True
  • Other managers: Check if user is in assigned_users list
  • Updated hitl.py to use auth manager's is_allowed() method

@boring-cyborg
Copy link

boring-cyborg bot commented Dec 14, 2025

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

jason810496
jason810496 reviewed Dec 14, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for the fix and it LGTM overall.

@jason810496 jason810496 requested a review from Lee-W December 14, 2025 10:20
jason810496
jason810496 reviewed Dec 15, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update!

Also that is a new functionality and some thinking on how we communicatee it (newsfragment) and what should be default behaviour for Auth Managers that do not implement it should be.

It would be nice to add the 59399.feature.rst newsfragment from airflow-core/newsfragments/template.significant.rst template.

Thanks!

@TempestShaw
Copy link
Contributor Author

TempestShaw commented Dec 15, 2025

Thanks, will do after a long haul flight.

vincbeck
vincbeck reviewed Dec 15, 2025
View reviewed changes
@vincbeck
Copy link
Contributor

vincbeck commented Dec 15, 2025

Some comments but the overall direction is good I think

@vincbeck
Copy link
Contributor

vincbeck commented Dec 15, 2025

Please also update documentation to mention this new API in Authorization related methods section

Lee-W
Lee-W reviewed Dec 16, 2025
View reviewed changes
Copy link
Member

@Lee-W Lee-W left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good. But would like to confirm with @vincbeck whether it's possible to have more than one user with the same ID (I guess not?) if so, should we use id, name pair to check instead

@potiuk
Copy link
Member

potiuk commented Dec 16, 2025

overall looks good. But would like to confirm with @vincbeck whether it's possible to have more than one user with the same ID (I guess not?) if so, should we use id, name pair to check instead

Nope. you can't. User_id uniquely identifies user in AuthManager.

@potiuk
Copy link
Member

potiuk commented Dec 16, 2025

Looks way better now :)

pierrejeambrun
pierrejeambrun approved these changes Dec 16, 2025
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vincbeck
vincbeck reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 nits but overall looks very good!

@TempestShaw
Copy link
Contributor Author

TempestShaw commented Dec 24, 2025

Hey @TempestShaw , I think we're close to merging this one. Could you please help us resolve the remaining comments and conflicts? Thanks!

@Lee-W Hi! I rebased fix-hitl-auth onto main to keep it up to date, which automatically triggered additional review requests.
Just wanted to check if this rebase looks correct. Thanks!

jason810496
jason810496 reviewed Dec 24, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lee-W Hi! I rebased fix-hitl-auth onto main to keep it up to date, which automatically triggered additional review requests.
Just wanted to check if this rebase looks correct. Thanks!

Thanks for the rebase. We still need to resolve the conflicts again. Thanks!

Image

@TempestShaw TempestShaw marked this pull request as draft January 4, 2026 09:49
TempestShaw and others added 9 commits January 4, 2026 22:41
@TempestShaw
Fix ApprovalOperator with SimpleAuthManager when all_admins=True
3163494 
  Fixes apache#59348. Added is_allowed() method to BaseAuthManager and all
  implementations to properly delegate HITL permission checks.

  - SimpleAuthManager: Returns True when simple_auth_manager_all_admins=True
  - Other managers: Check if user is in assigned_users list
  - Updated hitl.py to use auth manager's is_allowed() method

Remove duplicate import
@TempestShaw
Refactor HITL authorization methods across auth managers to improve c…
4c923aa 
…onsistency and remove redundant code
@TempestShaw
Refactor is_authorized_hitl_task signature
535aa03 
- Update method to use keyword-only parameters
- Take full user object instead of just user_id
- Add unit tests for BaseAuthManager and SimpleAuthManager
- Update hitl.py call site to match new signature
@TempestShaw
Fix ApprovalOperator with SimpleAuthManager when all_admins=True
e1a1bd1 
  Fixes apache#59348. Added is_allowed() method to BaseAuthManager and all
  implementations to properly delegate HITL permission checks.

  - SimpleAuthManager: Returns True when simple_auth_manager_all_admins=True
  - Other managers: Check if user is in assigned_users list
  - Updated hitl.py to use auth manager's is_allowed() method

Remove duplicate import
@TempestShaw
Refactor HITL authorization methods across auth managers to improve c…
e058625 
…onsistency and remove redundant code
@TempestShaw
Refactor is_authorized_hitl_task signature
6df3d61 
- Update method to use keyword-only parameters
- Take full user object instead of just user_id
- Add unit tests for BaseAuthManager and SimpleAuthManager
- Update hitl.py call site to match new signature
@TempestShaw @vincbeck
Update airflow-core/newsfragments/59399.feature.rst
659abfd 
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
@TempestShaw
Clarify is_authorized_hitl_task method documentation to specify custo…
216e684 
…m authorization logic for HITL tasks
@TempestShaw
modify documentation for is_authorized_hitl_task method
dbc6f74
@TempestShaw TempestShaw marked this pull request as ready for review January 4, 2026 15:46
jason810496
jason810496 approved these changes Jan 5, 2026
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update! LGTM if CI pass.

I just added backport label to 3.1.6, we can close the backport one if we only want to release in 3.2.0.

@jason810496 jason810496 added the backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch label Jan 5, 2026
@jason810496 jason810496 closed this Jan 5, 2026
@jason810496 jason810496 reopened this Jan 5, 2026
@Lee-W Lee-W merged commit d95d8ba into apache:main Jan 5, 2026
274 of 282 checks passed
@boring-cyborg
Copy link

boring-cyborg bot commented Jan 5, 2026

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

@github-actions
Copy link

github-actions bot commented Jan 5, 2026

Backport failed to create: v3-1-test. View the failure log Run details

Status Branch Result
v3-1-test Commit Link

You can attempt to backport this manually by running:

cherry_picker d95d8ba v3-1-test

This should apply the commit to the v3-1-test branch and leave the commit in conflict state marking
the files that need manual conflict resolution.

After you have resolved the conflicts, you can continue the backport process by running:

cherry_picker --continue

Lee-W pushed a commit to astronomer/airflow that referenced this pull request Jan 5, 2026
@TempestShaw @vincbeck @Lee-W
[v3-1-test] Fix ApprovalOperator with SimpleAuthManager when all_admi…
bdd1540 
…ns=True (apache#59399)

(cherry picked from commit d95d8ba)

Co-authored-by: Victor Kwong <109138344+TempestShaw@users.noreply.github.com>
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
@Lee-W Lee-W mentioned this pull request Jan 5, 2026
Merged
Lee-W added a commit that referenced this pull request Jan 5, 2026
@Lee-W @TempestShaw @vincbeck
[v3-1-test] Fix ApprovalOperator with SimpleAuthManager when all_admi…
21b02ae 
…ns=True (#59399) (#60116)

Co-authored-by: Victor Kwong <109138344+TempestShaw@users.noreply.github.com>
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
ephraimbuddy pushed a commit that referenced this pull request Jan 6, 2026
@Lee-W @TempestShaw
@vincbeck @ephraimbuddy
[v3-1-test] Fix ApprovalOperator with SimpleAuthManager when all_admi…
d8bd6a6 
…ns=True (#59399) (#60116)

Co-authored-by: Victor Kwong <109138344+TempestShaw@users.noreply.github.com>
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
chirodip98 pushed a commit to chirodip98/airflow-contrib that referenced this pull request Jan 8, 2026
@TempestShaw @vincbeck @chirodip98
Fix ApprovalOperator with SimpleAuthManager when all_admins=True (apa…
a99a973 
…che#59399)

Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
chirodip98 pushed a commit to chirodip98/airflow-contrib that referenced this pull request Jan 9, 2026
@TempestShaw @vincbeck @chirodip98
Fix ApprovalOperator with SimpleAuthManager when all_admins=True (apa…
e092d00 
…che#59399)

Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
stegololz pushed a commit to stegololz/airflow that referenced this pull request Jan 9, 2026
@TempestShaw @vincbeck @stegololz
Fix ApprovalOperator with SimpleAuthManager when all_admins=True (apa…
da50c2f 
…che#59399)

Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@uranusjr uranusjr uranusjr left review comments

@vincbeck vincbeck vincbeck left review comments

@potiuk potiuk potiuk approved these changes

@Lee-W Lee-W Lee-W approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@vatsrahul1001 vatsrahul1001 vatsrahul1001 approved these changes

@jason810496 jason810496 jason810496 approved these changes

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@o-nikolas o-nikolas Awaiting requested review from o-nikolas

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@ashb ashb Awaiting requested review from ashb

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh

@gopidesupavan gopidesupavan Awaiting requested review from gopidesupavan

@jscheffl jscheffl Awaiting requested review from jscheffl

@kaxil kaxil Awaiting requested review from kaxil

@dstandish dstandish Awaiting requested review from dstandish

@jedcunningham jedcunningham Awaiting requested review from jedcunningham

@mobuchowski mobuchowski Awaiting requested review from mobuchowski

@hussein-awala hussein-awala Awaiting requested review from hussein-awala

@sekikn sekikn Awaiting requested review from sekikn

@bbovenzi bbovenzi Awaiting requested review from bbovenzi

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton

@guan404ming guan404ming Awaiting requested review from guan404ming

@XD-DENG XD-DENG Awaiting requested review from XD-DENG

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API area:providers backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch provider:amazon AWS/Amazon - related issues provider:fab provider:keycloak

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ApprovalOperator(assigned_users=...) unusable with SimpleAuthManager when simple_auth_manager_all_admins=True (no one can approve/reject)

8 participants

@TempestShaw @vincbeck @potiuk @Lee-W @uranusjr @pierrejeambrun @vatsrahul1001 @jason810496