apache-airflow-providers-fab 1.5.3rc1__py3-none-any.whl → 2.0.0b1__py3-none-any.whl

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -18,22 +18,25 @@
 from __future__ import annotations
 
 import argparse
-import warnings
 from functools import cached_property
 from pathlib import Path
-from typing import TYPE_CHECKING, Container
+from typing import TYPE_CHECKING, Any
+from urllib.parse import urljoin
 
 import packaging.version
 from connexion import FlaskApi
-from flask import Blueprint, g, url_for
-from packaging.version import Version
+from fastapi import FastAPI
+from flask import Blueprint, g
 from sqlalchemy import select
 from sqlalchemy.orm import Session, joinedload
+from starlette.middleware.wsgi import WSGIMiddleware
 
 from airflow import __version__ as airflow_version
-from airflow.auth.managers.base_auth_manager import BaseAuthManager, ResourceMethod
-from airflow.auth.managers.models.resource_details import (
+from airflow.api_fastapi.app import AUTH_MANAGER_FASTAPI_APP_PREFIX
+from airflow.api_fastapi.auth.managers.base_auth_manager import BaseAuthManager
+from airflow.api_fastapi.auth.managers.models.resource_details import (
     AccessView,
+    BackfillDetails,
     ConfigurationDetails,
     ConnectionDetails,
     DagAccessEntity,
@@ -41,13 +44,13 @@ from airflow.auth.managers.models.resource_details import (
     PoolDetails,
     VariableDetails,
 )
-from airflow.auth.managers.utils.fab import get_fab_action_from_method_map, get_method_from_fab_action_map
+from airflow.api_fastapi.common.types import ExtraMenuItem, MenuItem
 from airflow.cli.cli_config import (
     DefaultHelpParser,
     GroupCommand,
 )
 from airflow.configuration import conf
-from airflow.exceptions import AirflowConfigException, AirflowException, AirflowProviderDeprecationWarning
+from airflow.exceptions import AirflowConfigException, AirflowException
 from airflow.models import DagModel
 from airflow.providers.fab.auth_manager.cli_commands.definition import (
     DB_COMMANDS,
@@ -56,8 +59,15 @@ from airflow.providers.fab.auth_manager.cli_commands.definition import (
     USERS_COMMANDS,
 )
 from airflow.providers.fab.auth_manager.models import Permission, Role, User
-from airflow.security import permissions
-from airflow.security.permissions import (
+from airflow.providers.fab.auth_manager.models.anonymous_user import AnonymousUser
+from airflow.providers.fab.www.app import create_app
+from airflow.providers.fab.www.constants import SWAGGER_BUNDLE, SWAGGER_ENABLED
+from airflow.providers.fab.www.extensions.init_views import (
+    _CustomErrorRequestBodyValidator,
+    _LazyResolver,
+)
+from airflow.providers.fab.www.security import permissions
+from airflow.providers.fab.www.security.permissions import (
     RESOURCE_AUDIT_LOG,
     RESOURCE_CLUSTER_ACTIVITY,
     RESOURCE_CONFIG,
@@ -66,6 +76,7 @@ from airflow.security.permissions import (
     RESOURCE_DAG_CODE,
     RESOURCE_DAG_DEPENDENCIES,
     RESOURCE_DAG_RUN,
+    RESOURCE_DAG_VERSION,
     RESOURCE_DAG_WARNING,
     RESOURCE_DOCS,
     RESOURCE_IMPORT_ERROR,
@@ -82,22 +93,33 @@ from airflow.security.permissions import (
     RESOURCE_WEBSITE,
     RESOURCE_XCOM,
 )
-from airflow.utils.session import NEW_SESSION, provide_session
+from airflow.providers.fab.www.utils import (
+    get_fab_action_from_method_map,
+    get_method_from_fab_action_map,
+)
+from airflow.security.permissions import RESOURCE_BACKFILL
+from airflow.utils.session import NEW_SESSION, create_session, provide_session
 from airflow.utils.yaml import safe_load
-from airflow.version import version
-from airflow.www.constants import SWAGGER_BUNDLE, SWAGGER_ENABLED
-from airflow.www.extensions.init_views import _CustomErrorRequestBodyValidator, _LazyResolver
 
 if TYPE_CHECKING:
-    from airflow.auth.managers.models.base_user import BaseUser
+    from airflow.api_fastapi.auth.managers.base_auth_manager import ResourceMethod
     from airflow.cli.cli_config import (
         CLICommand,
     )
-    from airflow.providers.common.compat.assets import AssetDetails
-    from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
-    from airflow.security.permissions import RESOURCE_ASSET
+    from airflow.providers.common.compat.assets import AssetAliasDetails, AssetDetails
+    from airflow.providers.fab.auth_manager.security_manager.override import (
+        FabAirflowSecurityManagerOverride,
+    )
+    from airflow.providers.fab.www.extensions.init_appbuilder import AirflowAppBuilder
+    from airflow.providers.fab.www.security.permissions import (
+        RESOURCE_ASSET,
+        RESOURCE_ASSET_ALIAS,
+    )
 else:
-    from airflow.providers.common.compat.security.permissions import RESOURCE_ASSET
+    from airflow.providers.common.compat.security.permissions import (
+        RESOURCE_ASSET,
+        RESOURCE_ASSET_ALIAS,
+    )
 
 
 _MAP_DAG_ACCESS_ENTITY_TO_FAB_RESOURCE_TYPE: dict[DagAccessEntity, tuple[str, ...]] = {
@@ -115,6 +137,7 @@ _MAP_DAG_ACCESS_ENTITY_TO_FAB_RESOURCE_TYPE: dict[DagAccessEntity, tuple[str, ..
     DagAccessEntity.TASK_INSTANCE: (RESOURCE_DAG_RUN, RESOURCE_TASK_INSTANCE),
     DagAccessEntity.TASK_LOGS: (RESOURCE_TASK_LOG,),
     DagAccessEntity.TASK_RESCHEDULE: (RESOURCE_TASK_RESCHEDULE,),
+    DagAccessEntity.VERSION: (RESOURCE_DAG_VERSION,),
     DagAccessEntity.WARNING: (RESOURCE_DAG_WARNING,),
     DagAccessEntity.XCOM: (RESOURCE_XCOM,),
 }
@@ -130,14 +153,36 @@ _MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE = {
     AccessView.WEBSITE: RESOURCE_WEBSITE,
 }
 
+_MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE = {
+    MenuItem.ASSETS: RESOURCE_ASSET,
+    MenuItem.ASSET_EVENTS: RESOURCE_ASSET,
+    MenuItem.CONNECTIONS: RESOURCE_CONNECTION,
+    MenuItem.DAGS: RESOURCE_DAG,
+    MenuItem.DOCS: RESOURCE_DOCS,
+    MenuItem.PLUGINS: RESOURCE_PLUGIN,
+    MenuItem.POOLS: RESOURCE_POOL,
+    MenuItem.PROVIDERS: RESOURCE_PROVIDER,
+    MenuItem.VARIABLES: RESOURCE_VARIABLE,
+    MenuItem.XCOMS: RESOURCE_XCOM,
+}
+
 
-class FabAuthManager(BaseAuthManager):
+class FabAuthManager(BaseAuthManager[User]):
     """
     Flask-AppBuilder auth manager.
 
     This auth manager is responsible for providing a backward compatible user management experience to users.
     """
 
+    appbuilder: AirflowAppBuilder | None = None
+
+    def init_flask_resources(self) -> None:
+        self._sync_appbuilder_roles()
+
+    @cached_property
+    def apiserver_endpoint(self) -> str:
+        return conf.get("api", "base_url")
+
     @staticmethod
     def get_cli_commands() -> list[CLICommand]:
         """Vends CLI commands to be included in Airflow CLI."""
@@ -161,6 +206,31 @@ class FabAuthManager(BaseAuthManager):
             commands.append(GroupCommand(name="fab-db", help="Manage FAB", subcommands=DB_COMMANDS))
         return commands
 
+    def get_fastapi_app(self) -> FastAPI | None:
+        """Get the FastAPI app."""
+        from airflow.providers.fab.auth_manager.api_fastapi.routes.login import (
+            login_router,
+        )
+
+        flask_app = create_app(enable_plugins=False)
+
+        app = FastAPI(
+            title="FAB auth manager API",
+            description=(
+                "This is FAB auth manager API. This API is only available if the auth manager used in "
+                "the Airflow environment is FAB auth manager. "
+                "This API provides endpoints to manage users and permissions managed by the FAB auth "
+                "manager."
+            ),
+        )
+
+        # Add the login router to the FastAPI app
+        app.include_router(login_router)
+
+        app.mount("/", WSGIMiddleware(flask_app))
+
+        return app
+
     def get_api_endpoints(self) -> None | Blueprint:
         folder = Path(__file__).parents[0].resolve()  # this is airflow/auth/managers/fab/
         with folder.joinpath("openapi", "v1.yaml").open() as f:
@@ -168,20 +238,16 @@ class FabAuthManager(BaseAuthManager):
         return FlaskApi(
             specification=specification,
             resolver=_LazyResolver(),
-            base_path="/auth/fab/v1",
-            options={"swagger_ui": SWAGGER_ENABLED, "swagger_path": SWAGGER_BUNDLE.__fspath__()},
+            base_path="/fab/v1",
+            options={
+                "swagger_ui": SWAGGER_ENABLED,
+                "swagger_path": SWAGGER_BUNDLE.__fspath__(),
+            },
             strict_validation=True,
             validate_responses=True,
             validator_map={"body": _CustomErrorRequestBodyValidator},
         ).blueprint
 
-    def get_user_display_name(self) -> str:
-        """Return the user's display name associated to the user in session."""
-        user = self.get_user()
-        first_name = user.first_name.strip() if isinstance(user.first_name, str) else ""
-        last_name = user.last_name.strip() if isinstance(user.last_name, str) else ""
-        return f"{first_name} {last_name}".strip()
-
     def get_user(self) -> User:
         """
         Return the user associated to the user in session.
@@ -199,26 +265,28 @@ class FabAuthManager(BaseAuthManager):
 
         return current_user
 
-    def init(self) -> None:
-        """Run operations when Airflow is initializing."""
-        self._sync_appbuilder_roles()
+    def deserialize_user(self, token: dict[str, Any]) -> User:
+        with create_session() as session:
+            return session.get(User, int(token["sub"]))
+
+    def serialize_user(self, user: User) -> dict[str, Any]:
+        return {"sub": str(user.id)}
 
     def is_logged_in(self) -> bool:
         """Return whether the user is logged in."""
         user = self.get_user()
-        if Version(Version(version).base_version) < Version("3.0.0"):
-            return not user.is_anonymous and user.is_active
-        else:
-            return self.appbuilder.get_app.config.get("AUTH_ROLE_PUBLIC", None) or (
-                not user.is_anonymous and user.is_active
-            )
+        return (
+            self.appbuilder
+            and self.appbuilder.get_app.config.get("AUTH_ROLE_PUBLIC", None)
+            or (not user.is_anonymous and user.is_active)
+        )
 
     def is_authorized_configuration(
         self,
         *,
         method: ResourceMethod,
+        user: User,
         details: ConfigurationDetails | None = None,
-        user: BaseUser | None = None,
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_CONFIG, user=user)
 
@@ -226,8 +294,8 @@ class FabAuthManager(BaseAuthManager):
         self,
         *,
         method: ResourceMethod,
+        user: User,
         details: ConnectionDetails | None = None,
-        user: BaseUser | None = None,
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_CONNECTION, user=user)
 
@@ -235,9 +303,9 @@ class FabAuthManager(BaseAuthManager):
         self,
         *,
         method: ResourceMethod,
+        user: User,
         access_entity: DagAccessEntity | None = None,
         details: DagDetails | None = None,
-        user: BaseUser | None = None,
     ) -> bool:
         """
         Return whether the user is authorized to access the dag.
@@ -254,9 +322,9 @@ class FabAuthManager(BaseAuthManager):
                 if no specific DAG is targeted, just check the sub entity.
 
         :param method: The method to authorize.
+        :param user: The user performing the action.
         :param access_entity: The dag access entity.
         :param details: The dag details.
-        :param user: The user.
         """
         if not access_entity:
             # Scenario 1
@@ -272,84 +340,100 @@ class FabAuthManager(BaseAuthManager):
                 return False
 
             return all(
-                self._is_authorized(method=method, resource_type=resource_type, user=user)
-                if resource_type != RESOURCE_DAG_RUN or not hasattr(permissions, "resource_name")
-                else self._is_authorized_dag_run(method=method, details=details, user=user)
+                (
+                    self._is_authorized(method=method, resource_type=resource_type, user=user)
+                    if resource_type != RESOURCE_DAG_RUN or not hasattr(permissions, "resource_name")
+                    else self._is_authorized_dag_run(method=method, details=details, user=user)
+                )
                 for resource_type in resource_types
             )
 
+    def is_authorized_backfill(
+        self,
+        *,
+        method: ResourceMethod,
+        user: User,
+        details: BackfillDetails | None = None,
+    ) -> bool:
+        return self._is_authorized(method=method, resource_type=RESOURCE_BACKFILL, user=user)
+
     def is_authorized_asset(
-        self, *, method: ResourceMethod, details: AssetDetails | None = None, user: BaseUser | None = None
+        self, *, method: ResourceMethod, user: User, details: AssetDetails | None = None
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_ASSET, user=user)
 
-    def is_authorized_dataset(
-        self, *, method: ResourceMethod, details: AssetDetails | None = None, user: BaseUser | None = None
+    def is_authorized_asset_alias(
+        self,
+        *,
+        method: ResourceMethod,
+        user: User,
+        details: AssetAliasDetails | None = None,
     ) -> bool:
-        warnings.warn(
-            "is_authorized_dataset will be renamed as is_authorized_asset in Airflow 3 and will be removed when the minimum Airflow version is set to 3.0 for the fab provider",
-            AirflowProviderDeprecationWarning,
-            stacklevel=2,
-        )
-        return self.is_authorized_asset(method=method, user=user)
+        return self._is_authorized(method=method, resource_type=RESOURCE_ASSET_ALIAS, user=user)
 
     def is_authorized_pool(
-        self, *, method: ResourceMethod, details: PoolDetails | None = None, user: BaseUser | None = None
+        self, *, method: ResourceMethod, user: User, details: PoolDetails | None = None
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_POOL, user=user)
 
     def is_authorized_variable(
-        self, *, method: ResourceMethod, details: VariableDetails | None = None, user: BaseUser | None = None
+        self,
+        *,
+        method: ResourceMethod,
+        user: User,
+        details: VariableDetails | None = None,
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_VARIABLE, user=user)
 
-    def is_authorized_view(self, *, access_view: AccessView, user: BaseUser | None = None) -> bool:
+    def is_authorized_view(self, *, access_view: AccessView, user: User) -> bool:
         # "Docs" are only links in the menu, there is no page associated
         method: ResourceMethod = "MENU" if access_view == AccessView.DOCS else "GET"
         return self._is_authorized(
-            method=method, resource_type=_MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE[access_view], user=user
+            method=method,
+            resource_type=_MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE[access_view],
+            user=user,
         )
 
     def is_authorized_custom_view(
-        self, *, method: ResourceMethod | str, resource_name: str, user: BaseUser | None = None
-    ):
-        if not user:
-            user = self.get_user()
+        self, *, method: ResourceMethod | str, resource_name: str, user: User
+    ) -> bool:
         fab_action_name = get_fab_action_from_method_map().get(method, method)
         return (fab_action_name, resource_name) in self._get_user_permissions(user)
 
+    def filter_authorized_menu_items(self, menu_items: list[MenuItem], user: User) -> list[MenuItem]:
+        return [
+            menu_item
+            for menu_item in menu_items
+            if self._is_authorized(
+                method="MENU",
+                resource_type=_MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE.get(menu_item, menu_item.value),
+                user=user,
+            )
+        ]
+
     @provide_session
-    def get_permitted_dag_ids(
+    def get_authorized_dag_ids(
         self,
         *,
-        methods: Container[ResourceMethod] | None = None,
-        user=None,
+        user: User,
+        method: ResourceMethod = "GET",
         session: Session = NEW_SESSION,
     ) -> set[str]:
-        if not methods:
-            methods = ["PUT", "GET"]
-
-        if not user:
-            user = self.get_user()
-
-        if not self.is_logged_in():
-            roles = user.roles
-        else:
-            if ("GET" in methods and self.is_authorized_dag(method="GET", user=user)) or (
-                "PUT" in methods and self.is_authorized_dag(method="PUT", user=user)
-            ):
-                # If user is authorized to read/edit all DAGs, return all DAGs
-                return {dag.dag_id for dag in session.execute(select(DagModel.dag_id))}
-            user_query = session.scalar(
-                select(User)
-                .options(
-                    joinedload(User.roles)
-                    .subqueryload(Role.permissions)
-                    .options(joinedload(Permission.action), joinedload(Permission.resource))
-                )
-                .where(User.id == user.id)
+        if self._is_authorized(method=method, resource_type=RESOURCE_DAG, user=user):
+            # If user is authorized to access all DAGs, return all DAGs
+            return {dag.dag_id for dag in session.execute(select(DagModel.dag_id))}
+        if isinstance(user, AnonymousUser):
+            return set()
+        user_query = session.scalar(
+            select(User)
+            .options(
+                joinedload(User.roles)
+                .subqueryload(Role.permissions)
+                .options(joinedload(Permission.action), joinedload(Permission.resource))
             )
-            roles = user_query.roles
+            .where(User.id == user.id)
+        )
+        roles = user_query.roles
 
         map_fab_action_name_to_method_name = get_method_from_fab_action_map()
         resources = set()
@@ -358,7 +442,7 @@ class FabAuthManager(BaseAuthManager):
                 action = permission.action.name
                 if (
                     action in map_fab_action_name_to_method_name
-                    and map_fab_action_name_to_method_name[action] in methods
+                    and map_fab_action_name_to_method_name[action] == method
                 ):
                     resource = permission.resource.name
                     if resource == permissions.RESOURCE_DAG:
@@ -376,6 +460,9 @@ class FabAuthManager(BaseAuthManager):
             FabAirflowSecurityManagerOverride,
         )
 
+        if not self.appbuilder:
+            raise AirflowException("AppBuilder is not initialized.")
+
         sm_from_config = self.appbuilder.get_app.config.get("SECURITY_MANAGER_CLASS")
         if sm_from_config:
             if not issubclass(sm_from_config, FabAirflowSecurityManagerOverride):
@@ -388,49 +475,68 @@ class FabAuthManager(BaseAuthManager):
 
     def get_url_login(self, **kwargs) -> str:
         """Return the login page url."""
-        if not self.security_manager.auth_view:
-            raise AirflowException("`auth_view` not defined in the security manager.")
-        if next_url := kwargs.get("next_url"):
-            return url_for(f"{self.security_manager.auth_view.endpoint}.login", next=next_url)
-        else:
-            return url_for(f"{self.security_manager.auth_view.endpoint}.login")
+        return urljoin(self.apiserver_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/login/")
 
-    def get_url_logout(self):
+    def get_url_logout(self) -> str | None:
         """Return the logout page url."""
-        if not self.security_manager.auth_view:
-            raise AirflowException("`auth_view` not defined in the security manager.")
-        return url_for(f"{self.security_manager.auth_view.endpoint}.logout")
-
-    def get_url_user_profile(self) -> str | None:
-        """Return the url to a page displaying info about the current user."""
-        if not self.security_manager.user_view or self.appbuilder.get_app.config.get(
-            "AUTH_ROLE_PUBLIC", None
-        ):
-            return None
-        return url_for(f"{self.security_manager.user_view.endpoint}.userinfo")
+        return urljoin(self.apiserver_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout/")
 
     def register_views(self) -> None:
         self.security_manager.register_views()
 
+    def get_extra_menu_items(self, *, user: User) -> list[ExtraMenuItem]:
+        # Contains the list of menu items. ``resource_type`` is the name of the resource in FAB
+        # permission model to check whether the user is allowed to see this menu item
+        items = [
+            {
+                "resource_type": "List Users",
+                "text": "Users",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/users/list/",
+            },
+            {
+                "resource_type": "List Roles",
+                "text": "Roles",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/roles/list/",
+            },
+            {
+                "resource_type": "Actions",
+                "text": "Actions",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/actions/list/",
+            },
+            {
+                "resource_type": "Resources",
+                "text": "Resources",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/resources/list/",
+            },
+            {
+                "resource_type": "Permission Pairs",
+                "text": "Permissions",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/permissions/list/",
+            },
+        ]
+
+        return [
+            ExtraMenuItem(text=item["text"], href=item["href"])
+            for item in items
+            if self._is_authorized(method="MENU", resource_type=item["resource_type"], user=user)
+        ]
+
     def _is_authorized(
         self,
         *,
         method: ResourceMethod,
         resource_type: str,
-        user: BaseUser | None = None,
+        user: User,
     ) -> bool:
         """
         Return whether the user is authorized to perform a given action.
 
         :param method: the method to perform
         :param resource_type: the type of resource the user attempts to perform the action on
-        :param user: the user to perform the action on. If not provided (or None), it uses the current user
+        :param user: the user to performing the action
 
         :meta private:
         """
-        if not user:
-            user = self.get_user()
-
         fab_action = self._get_fab_action(method)
         user_permissions = self._get_user_permissions(user)
 
@@ -439,15 +545,15 @@ class FabAuthManager(BaseAuthManager):
     def _is_authorized_dag(
         self,
         method: ResourceMethod,
-        details: DagDetails | None = None,
-        user: BaseUser | None = None,
+        details: DagDetails | None,
+        user: User,
     ) -> bool:
         """
         Return whether the user is authorized to perform a given action on a DAG.
 
         :param method: the method to perform
-        :param details: optional details about the DAG
-        :param user: the user to perform the action on. If not provided (or None), it uses the current user
+        :param details: details about the DAG
+        :param user: the user to performing the action
 
         :meta private:
         """
@@ -465,15 +571,15 @@ class FabAuthManager(BaseAuthManager):
     def _is_authorized_dag_run(
         self,
         method: ResourceMethod,
-        details: DagDetails | None = None,
-        user: BaseUser | None = None,
+        details: DagDetails | None,
+        user: User,
     ) -> bool:
         """
         Return whether the user is authorized to perform a given action on a DAG Run.
 
         :param method: the method to perform
-        :param details: optional, details about the DAG
-        :param user: optional, the user to perform the action on. If not provided, it uses the current user
+        :param details: details about the DAG
+        :param user: the user to performing the action
 
         :meta private:
         """
@@ -529,7 +635,7 @@ class FabAuthManager(BaseAuthManager):
         return getattr(permissions, "resource_name_for_dag")(root_dag_id)
 
     @staticmethod
-    def _get_user_permissions(user: BaseUser):
+    def _get_user_permissions(user: User):
         """
         Return the user permissions.
 
@@ -547,6 +653,9 @@ class FabAuthManager(BaseAuthManager):
 
         :meta private:
         """
+        if not self.appbuilder:
+            raise AirflowException("AppBuilder is not initialized.")
+
         if "." in dag_id and hasattr(DagModel, "root_dag_id"):
             return self.appbuilder.get_session.scalar(
                 select(DagModel.dag_id, DagModel.root_dag_id).where(DagModel.dag_id == dag_id).limit(1)
@@ -563,11 +672,7 @@ class FabAuthManager(BaseAuthManager):
         # Otherwise, when the name of a view or menu is changed, the framework
         # will add the new Views and Menus names to the backend, but will not
         # delete the old ones.
-        if Version(Version(version).base_version) >= Version("3.0.0"):
-            fallback = None
-        else:
-            fallback = conf.getboolean("webserver", "UPDATE_FAB_PERMS")
-        if conf.getboolean("fab", "UPDATE_FAB_PERMS", fallback=fallback):
+        if conf.getboolean("fab", "UPDATE_FAB_PERMS"):
             self.security_manager.sync_roles()
 
 

airflow/providers/fab/auth_manager/models/__init__.py

@@ -44,7 +44,7 @@ from sqlalchemy import (
 from sqlalchemy.orm import backref, declared_attr, registry, relationship
 
 from airflow import __version__ as airflow_version
-from airflow.auth.managers.models.base_user import BaseUser
+from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
 from airflow.models.base import _get_schema, naming_convention
 
 if TYPE_CHECKING:

airflow/providers/fab/auth_manager/models/anonymous_user.py

@@ -20,7 +20,7 @@ from __future__ import annotations
 from flask import current_app
 from flask_login import AnonymousUserMixin
 
-from airflow.auth.managers.models.base_user import BaseUser
+from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
 
 
 class AnonymousUser(AnonymousUserMixin, BaseUser):