apache-airflow-providers-fab 2.0.0rc1__py3-none-any.whl → 2.0.0rc2__py3-none-any.whl

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -18,22 +18,25 @@
 from __future__ import annotations
 
 import argparse
-from collections.abc import Container
 from functools import cached_property
 from pathlib import Path
 from typing import TYPE_CHECKING, Any
+from urllib.parse import urljoin
 
 import packaging.version
 from connexion import FlaskApi
-from flask import Blueprint, g, url_for
-from packaging.version import Version
+from fastapi import FastAPI
+from flask import Blueprint, g
 from sqlalchemy import select
 from sqlalchemy.orm import Session, joinedload
+from starlette.middleware.wsgi import WSGIMiddleware
 
 from airflow import __version__ as airflow_version
-from airflow.auth.managers.base_auth_manager import BaseAuthManager, ResourceMethod
-from airflow.auth.managers.models.resource_details import (
+from airflow.api_fastapi.app import AUTH_MANAGER_FASTAPI_APP_PREFIX
+from airflow.api_fastapi.auth.managers.base_auth_manager import BaseAuthManager
+from airflow.api_fastapi.auth.managers.models.resource_details import (
     AccessView,
+    BackfillDetails,
     ConfigurationDetails,
     ConnectionDetails,
     DagAccessEntity,
@@ -41,7 +44,7 @@ from airflow.auth.managers.models.resource_details import (
     PoolDetails,
     VariableDetails,
 )
-from airflow.auth.managers.utils.fab import get_fab_action_from_method_map, get_method_from_fab_action_map
+from airflow.api_fastapi.common.types import ExtraMenuItem, MenuItem
 from airflow.cli.cli_config import (
     DefaultHelpParser,
     GroupCommand,
@@ -56,8 +59,15 @@ from airflow.providers.fab.auth_manager.cli_commands.definition import (
     USERS_COMMANDS,
 )
 from airflow.providers.fab.auth_manager.models import Permission, Role, User
-from airflow.security import permissions
-from airflow.security.permissions import (
+from airflow.providers.fab.auth_manager.models.anonymous_user import AnonymousUser
+from airflow.providers.fab.www.app import create_app
+from airflow.providers.fab.www.constants import SWAGGER_BUNDLE, SWAGGER_ENABLED
+from airflow.providers.fab.www.extensions.init_views import (
+    _CustomErrorRequestBodyValidator,
+    _LazyResolver,
+)
+from airflow.providers.fab.www.security import permissions
+from airflow.providers.fab.www.security.permissions import (
     RESOURCE_AUDIT_LOG,
     RESOURCE_CLUSTER_ACTIVITY,
     RESOURCE_CONFIG,
@@ -66,6 +76,7 @@ from airflow.security.permissions import (
     RESOURCE_DAG_CODE,
     RESOURCE_DAG_DEPENDENCIES,
     RESOURCE_DAG_RUN,
+    RESOURCE_DAG_VERSION,
     RESOURCE_DAG_WARNING,
     RESOURCE_DOCS,
     RESOURCE_IMPORT_ERROR,
@@ -82,22 +93,33 @@ from airflow.security.permissions import (
     RESOURCE_WEBSITE,
     RESOURCE_XCOM,
 )
+from airflow.providers.fab.www.utils import (
+    get_fab_action_from_method_map,
+    get_method_from_fab_action_map,
+)
+from airflow.security.permissions import RESOURCE_BACKFILL
 from airflow.utils.session import NEW_SESSION, create_session, provide_session
 from airflow.utils.yaml import safe_load
-from airflow.version import version
-from airflow.www.constants import SWAGGER_BUNDLE, SWAGGER_ENABLED
-from airflow.www.extensions.init_views import _CustomErrorRequestBodyValidator, _LazyResolver
 
 if TYPE_CHECKING:
-    from airflow.auth.managers.models.base_user import BaseUser
+    from airflow.api_fastapi.auth.managers.base_auth_manager import ResourceMethod
     from airflow.cli.cli_config import (
         CLICommand,
     )
-    from airflow.providers.common.compat.assets import AssetDetails
-    from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
-    from airflow.security.permissions import RESOURCE_ASSET
+    from airflow.providers.common.compat.assets import AssetAliasDetails, AssetDetails
+    from airflow.providers.fab.auth_manager.security_manager.override import (
+        FabAirflowSecurityManagerOverride,
+    )
+    from airflow.providers.fab.www.extensions.init_appbuilder import AirflowAppBuilder
+    from airflow.providers.fab.www.security.permissions import (
+        RESOURCE_ASSET,
+        RESOURCE_ASSET_ALIAS,
+    )
 else:
-    from airflow.providers.common.compat.security.permissions import RESOURCE_ASSET
+    from airflow.providers.common.compat.security.permissions import (
+        RESOURCE_ASSET,
+        RESOURCE_ASSET_ALIAS,
+    )
 
 
 _MAP_DAG_ACCESS_ENTITY_TO_FAB_RESOURCE_TYPE: dict[DagAccessEntity, tuple[str, ...]] = {
@@ -115,6 +137,7 @@ _MAP_DAG_ACCESS_ENTITY_TO_FAB_RESOURCE_TYPE: dict[DagAccessEntity, tuple[str, ..
     DagAccessEntity.TASK_INSTANCE: (RESOURCE_DAG_RUN, RESOURCE_TASK_INSTANCE),
     DagAccessEntity.TASK_LOGS: (RESOURCE_TASK_LOG,),
     DagAccessEntity.TASK_RESCHEDULE: (RESOURCE_TASK_RESCHEDULE,),
+    DagAccessEntity.VERSION: (RESOURCE_DAG_VERSION,),
     DagAccessEntity.WARNING: (RESOURCE_DAG_WARNING,),
     DagAccessEntity.XCOM: (RESOURCE_XCOM,),
 }
@@ -130,6 +153,19 @@ _MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE = {
     AccessView.WEBSITE: RESOURCE_WEBSITE,
 }
 
+_MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE = {
+    MenuItem.ASSETS: RESOURCE_ASSET,
+    MenuItem.ASSET_EVENTS: RESOURCE_ASSET,
+    MenuItem.CONNECTIONS: RESOURCE_CONNECTION,
+    MenuItem.DAGS: RESOURCE_DAG,
+    MenuItem.DOCS: RESOURCE_DOCS,
+    MenuItem.PLUGINS: RESOURCE_PLUGIN,
+    MenuItem.POOLS: RESOURCE_POOL,
+    MenuItem.PROVIDERS: RESOURCE_PROVIDER,
+    MenuItem.VARIABLES: RESOURCE_VARIABLE,
+    MenuItem.XCOMS: RESOURCE_XCOM,
+}
+
 
 class FabAuthManager(BaseAuthManager[User]):
     """
@@ -138,10 +174,14 @@ class FabAuthManager(BaseAuthManager[User]):
     This auth manager is responsible for providing a backward compatible user management experience to users.
     """
 
-    def init(self) -> None:
-        """Run operations when Airflow is initializing."""
-        if self.appbuilder:
-            self._sync_appbuilder_roles()
+    appbuilder: AirflowAppBuilder | None = None
+
+    def init_flask_resources(self) -> None:
+        self._sync_appbuilder_roles()
+
+    @cached_property
+    def apiserver_endpoint(self) -> str:
+        return conf.get("api", "base_url")
 
     @staticmethod
     def get_cli_commands() -> list[CLICommand]:
@@ -166,6 +206,31 @@ class FabAuthManager(BaseAuthManager[User]):
             commands.append(GroupCommand(name="fab-db", help="Manage FAB", subcommands=DB_COMMANDS))
         return commands
 
+    def get_fastapi_app(self) -> FastAPI | None:
+        """Get the FastAPI app."""
+        from airflow.providers.fab.auth_manager.api_fastapi.routes.login import (
+            login_router,
+        )
+
+        flask_app = create_app(enable_plugins=False)
+
+        app = FastAPI(
+            title="FAB auth manager API",
+            description=(
+                "This is FAB auth manager API. This API is only available if the auth manager used in "
+                "the Airflow environment is FAB auth manager. "
+                "This API provides endpoints to manage users and permissions managed by the FAB auth "
+                "manager."
+            ),
+        )
+
+        # Add the login router to the FastAPI app
+        app.include_router(login_router)
+
+        app.mount("/", WSGIMiddleware(flask_app))
+
+        return app
+
     def get_api_endpoints(self) -> None | Blueprint:
         folder = Path(__file__).parents[0].resolve()  # this is airflow/auth/managers/fab/
         with folder.joinpath("openapi", "v1.yaml").open() as f:
@@ -173,20 +238,16 @@ class FabAuthManager(BaseAuthManager[User]):
         return FlaskApi(
             specification=specification,
             resolver=_LazyResolver(),
-            base_path="/auth/fab/v1",
-            options={"swagger_ui": SWAGGER_ENABLED, "swagger_path": SWAGGER_BUNDLE.__fspath__()},
+            base_path="/fab/v1",
+            options={
+                "swagger_ui": SWAGGER_ENABLED,
+                "swagger_path": SWAGGER_BUNDLE.__fspath__(),
+            },
             strict_validation=True,
             validate_responses=True,
             validator_map={"body": _CustomErrorRequestBodyValidator},
         ).blueprint
 
-    def get_user_display_name(self) -> str:
-        """Return the user's display name associated to the user in session."""
-        user = self.get_user()
-        first_name = user.first_name.strip() if isinstance(user.first_name, str) else ""
-        last_name = user.last_name.strip() if isinstance(user.last_name, str) else ""
-        return f"{first_name} {last_name}".strip()
-
     def get_user(self) -> User:
         """
         Return the user associated to the user in session.
@@ -206,29 +267,26 @@ class FabAuthManager(BaseAuthManager[User]):
 
     def deserialize_user(self, token: dict[str, Any]) -> User:
         with create_session() as session:
-            return session.get(User, token["id"])
+            return session.get(User, int(token["sub"]))
 
     def serialize_user(self, user: User) -> dict[str, Any]:
-        return {"id": user.id}
+        return {"sub": str(user.id)}
 
     def is_logged_in(self) -> bool:
         """Return whether the user is logged in."""
         user = self.get_user()
-        if Version(Version(version).base_version) < Version("3.0.0"):
-            return not user.is_anonymous and user.is_active
-        else:
-            return (
-                self.appbuilder
-                and self.appbuilder.get_app.config.get("AUTH_ROLE_PUBLIC", None)
-                or (not user.is_anonymous and user.is_active)
-            )
+        return (
+            self.appbuilder
+            and self.appbuilder.get_app.config.get("AUTH_ROLE_PUBLIC", None)
+            or (not user.is_anonymous and user.is_active)
+        )
 
     def is_authorized_configuration(
         self,
         *,
         method: ResourceMethod,
+        user: User,
         details: ConfigurationDetails | None = None,
-        user: BaseUser | None = None,
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_CONFIG, user=user)
 
@@ -236,8 +294,8 @@ class FabAuthManager(BaseAuthManager[User]):
         self,
         *,
         method: ResourceMethod,
+        user: User,
         details: ConnectionDetails | None = None,
-        user: BaseUser | None = None,
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_CONNECTION, user=user)
 
@@ -245,9 +303,9 @@ class FabAuthManager(BaseAuthManager[User]):
         self,
         *,
         method: ResourceMethod,
+        user: User,
         access_entity: DagAccessEntity | None = None,
         details: DagDetails | None = None,
-        user: BaseUser | None = None,
     ) -> bool:
         """
         Return whether the user is authorized to access the dag.
@@ -264,9 +322,9 @@ class FabAuthManager(BaseAuthManager[User]):
                 if no specific DAG is targeted, just check the sub entity.
 
         :param method: The method to authorize.
+        :param user: The user performing the action.
         :param access_entity: The dag access entity.
         :param details: The dag details.
-        :param user: The user.
         """
         if not access_entity:
             # Scenario 1
@@ -282,74 +340,100 @@ class FabAuthManager(BaseAuthManager[User]):
                 return False
 
             return all(
-                self._is_authorized(method=method, resource_type=resource_type, user=user)
-                if resource_type != RESOURCE_DAG_RUN or not hasattr(permissions, "resource_name")
-                else self._is_authorized_dag_run(method=method, details=details, user=user)
+                (
+                    self._is_authorized(method=method, resource_type=resource_type, user=user)
+                    if resource_type != RESOURCE_DAG_RUN or not hasattr(permissions, "resource_name")
+                    else self._is_authorized_dag_run(method=method, details=details, user=user)
+                )
                 for resource_type in resource_types
             )
 
+    def is_authorized_backfill(
+        self,
+        *,
+        method: ResourceMethod,
+        user: User,
+        details: BackfillDetails | None = None,
+    ) -> bool:
+        return self._is_authorized(method=method, resource_type=RESOURCE_BACKFILL, user=user)
+
     def is_authorized_asset(
-        self, *, method: ResourceMethod, details: AssetDetails | None = None, user: BaseUser | None = None
+        self, *, method: ResourceMethod, user: User, details: AssetDetails | None = None
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_ASSET, user=user)
 
+    def is_authorized_asset_alias(
+        self,
+        *,
+        method: ResourceMethod,
+        user: User,
+        details: AssetAliasDetails | None = None,
+    ) -> bool:
+        return self._is_authorized(method=method, resource_type=RESOURCE_ASSET_ALIAS, user=user)
+
     def is_authorized_pool(
-        self, *, method: ResourceMethod, details: PoolDetails | None = None, user: BaseUser | None = None
+        self, *, method: ResourceMethod, user: User, details: PoolDetails | None = None
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_POOL, user=user)
 
     def is_authorized_variable(
-        self, *, method: ResourceMethod, details: VariableDetails | None = None, user: BaseUser | None = None
+        self,
+        *,
+        method: ResourceMethod,
+        user: User,
+        details: VariableDetails | None = None,
     ) -> bool:
         return self._is_authorized(method=method, resource_type=RESOURCE_VARIABLE, user=user)
 
-    def is_authorized_view(self, *, access_view: AccessView, user: BaseUser | None = None) -> bool:
+    def is_authorized_view(self, *, access_view: AccessView, user: User) -> bool:
         # "Docs" are only links in the menu, there is no page associated
         method: ResourceMethod = "MENU" if access_view == AccessView.DOCS else "GET"
         return self._is_authorized(
-            method=method, resource_type=_MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE[access_view], user=user
+            method=method,
+            resource_type=_MAP_ACCESS_VIEW_TO_FAB_RESOURCE_TYPE[access_view],
+            user=user,
         )
 
     def is_authorized_custom_view(
-        self, *, method: ResourceMethod | str, resource_name: str, user: BaseUser | None = None
-    ):
-        if not user:
-            user = self.get_user()
+        self, *, method: ResourceMethod | str, resource_name: str, user: User
+    ) -> bool:
         fab_action_name = get_fab_action_from_method_map().get(method, method)
         return (fab_action_name, resource_name) in self._get_user_permissions(user)
 
+    def filter_authorized_menu_items(self, menu_items: list[MenuItem], user: User) -> list[MenuItem]:
+        return [
+            menu_item
+            for menu_item in menu_items
+            if self._is_authorized(
+                method="MENU",
+                resource_type=_MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE.get(menu_item, menu_item.value),
+                user=user,
+            )
+        ]
+
     @provide_session
-    def get_permitted_dag_ids(
+    def get_authorized_dag_ids(
         self,
         *,
-        methods: Container[ResourceMethod] | None = None,
-        user=None,
+        user: User,
+        method: ResourceMethod = "GET",
         session: Session = NEW_SESSION,
     ) -> set[str]:
-        if not methods:
-            methods = ["PUT", "GET"]
-
-        if not user:
-            user = self.get_user()
-
-        if not self.is_logged_in():
-            roles = user.roles
-        else:
-            if ("GET" in methods and self.is_authorized_dag(method="GET", user=user)) or (
-                "PUT" in methods and self.is_authorized_dag(method="PUT", user=user)
-            ):
-                # If user is authorized to read/edit all DAGs, return all DAGs
-                return {dag.dag_id for dag in session.execute(select(DagModel.dag_id))}
-            user_query = session.scalar(
-                select(User)
-                .options(
-                    joinedload(User.roles)
-                    .subqueryload(Role.permissions)
-                    .options(joinedload(Permission.action), joinedload(Permission.resource))
-                )
-                .where(User.id == user.id)
+        if self._is_authorized(method=method, resource_type=RESOURCE_DAG, user=user):
+            # If user is authorized to access all DAGs, return all DAGs
+            return {dag.dag_id for dag in session.execute(select(DagModel.dag_id))}
+        if isinstance(user, AnonymousUser):
+            return set()
+        user_query = session.scalar(
+            select(User)
+            .options(
+                joinedload(User.roles)
+                .subqueryload(Role.permissions)
+                .options(joinedload(Permission.action), joinedload(Permission.resource))
             )
-            roles = user_query.roles
+            .where(User.id == user.id)
+        )
+        roles = user_query.roles
 
         map_fab_action_name_to_method_name = get_method_from_fab_action_map()
         resources = set()
@@ -358,7 +442,7 @@ class FabAuthManager(BaseAuthManager[User]):
                 action = permission.action.name
                 if (
                     action in map_fab_action_name_to_method_name
-                    and map_fab_action_name_to_method_name[action] in methods
+                    and map_fab_action_name_to_method_name[action] == method
                 ):
                     resource = permission.resource.name
                     if resource == permissions.RESOURCE_DAG:
@@ -391,49 +475,72 @@ class FabAuthManager(BaseAuthManager[User]):
 
     def get_url_login(self, **kwargs) -> str:
         """Return the login page url."""
-        if not self.security_manager.auth_view:
-            raise AirflowException("`auth_view` not defined in the security manager.")
-        if next_url := kwargs.get("next_url"):
-            return url_for(f"{self.security_manager.auth_view.endpoint}.login", next=next_url)
-        else:
-            return url_for(f"{self.security_manager.auth_view.endpoint}.login")
+        return urljoin(self.apiserver_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/login/")
 
-    def get_url_logout(self):
+    def get_url_logout(self) -> str | None:
         """Return the logout page url."""
-        if not self.security_manager.auth_view:
-            raise AirflowException("`auth_view` not defined in the security manager.")
-        return url_for(f"{self.security_manager.auth_view.endpoint}.logout")
-
-    def get_url_user_profile(self) -> str | None:
-        """Return the url to a page displaying info about the current user."""
-        if not self.security_manager.user_view or self.appbuilder.get_app.config.get(
-            "AUTH_ROLE_PUBLIC", None
-        ):
-            return None
-        return url_for(f"{self.security_manager.user_view.endpoint}.userinfo")
+        return urljoin(self.apiserver_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout/")
 
     def register_views(self) -> None:
         self.security_manager.register_views()
 
+    def get_extra_menu_items(self, *, user: User) -> list[ExtraMenuItem]:
+        # Contains the list of menu items. ``resource_type`` is the name of the resource in FAB
+        # permission model to check whether the user is allowed to see this menu item
+        items = [
+            {
+                "resource_type": "List Users",
+                "text": "Users",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/users/list/",
+            },
+            {
+                "resource_type": "List Roles",
+                "text": "Roles",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/roles/list/",
+            },
+            {
+                "resource_type": "Actions",
+                "text": "Actions",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/actions/list/",
+            },
+            {
+                "resource_type": "Resources",
+                "text": "Resources",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/resources/list/",
+            },
+            {
+                "resource_type": "Permission Pairs",
+                "text": "Permissions",
+                "href": f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/permissions/list/",
+            },
+        ]
+
+        return [
+            ExtraMenuItem(text=item["text"], href=item["href"])
+            for item in items
+            if self._is_authorized(method="MENU", resource_type=item["resource_type"], user=user)
+        ]
+
+    @staticmethod
+    def get_db_manager() -> str | None:
+        return "airflow.providers.fab.auth_manager.models.db.FABDBManager"
+
     def _is_authorized(
         self,
         *,
         method: ResourceMethod,
         resource_type: str,
-        user: BaseUser | None = None,
+        user: User,
     ) -> bool:
         """
         Return whether the user is authorized to perform a given action.
 
         :param method: the method to perform
         :param resource_type: the type of resource the user attempts to perform the action on
-        :param user: the user to perform the action on. If not provided (or None), it uses the current user
+        :param user: the user to performing the action
 
         :meta private:
         """
-        if not user:
-            user = self.get_user()
-
         fab_action = self._get_fab_action(method)
         user_permissions = self._get_user_permissions(user)
 
@@ -442,15 +549,15 @@ class FabAuthManager(BaseAuthManager[User]):
     def _is_authorized_dag(
         self,
         method: ResourceMethod,
-        details: DagDetails | None = None,
-        user: BaseUser | None = None,
+        details: DagDetails | None,
+        user: User,
     ) -> bool:
         """
         Return whether the user is authorized to perform a given action on a DAG.
 
         :param method: the method to perform
-        :param details: optional details about the DAG
-        :param user: the user to perform the action on. If not provided (or None), it uses the current user
+        :param details: details about the DAG
+        :param user: the user to performing the action
 
         :meta private:
         """
@@ -468,15 +575,15 @@ class FabAuthManager(BaseAuthManager[User]):
     def _is_authorized_dag_run(
         self,
         method: ResourceMethod,
-        details: DagDetails | None = None,
-        user: BaseUser | None = None,
+        details: DagDetails | None,
+        user: User,
     ) -> bool:
         """
         Return whether the user is authorized to perform a given action on a DAG Run.
 
         :param method: the method to perform
-        :param details: optional, details about the DAG
-        :param user: optional, the user to perform the action on. If not provided, it uses the current user
+        :param details: details about the DAG
+        :param user: the user to performing the action
 
         :meta private:
         """
@@ -532,7 +639,7 @@ class FabAuthManager(BaseAuthManager[User]):
         return getattr(permissions, "resource_name_for_dag")(root_dag_id)
 
     @staticmethod
-    def _get_user_permissions(user: BaseUser):
+    def _get_user_permissions(user: User):
         """
         Return the user permissions.
 
@@ -569,11 +676,7 @@ class FabAuthManager(BaseAuthManager[User]):
         # Otherwise, when the name of a view or menu is changed, the framework
         # will add the new Views and Menus names to the backend, but will not
         # delete the old ones.
-        if Version(Version(version).base_version) >= Version("3.0.0"):
-            fallback = None
-        else:
-            fallback = conf.getboolean("webserver", "UPDATE_FAB_PERMS")
-        if conf.getboolean("fab", "UPDATE_FAB_PERMS", fallback=fallback):
+        if conf.getboolean("fab", "UPDATE_FAB_PERMS"):
             self.security_manager.sync_roles()
 
 

airflow/providers/fab/auth_manager/models/__init__.py

@@ -44,7 +44,7 @@ from sqlalchemy import (
 from sqlalchemy.orm import backref, declared_attr, registry, relationship
 
 from airflow import __version__ as airflow_version
-from airflow.auth.managers.models.base_user import BaseUser
+from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
 from airflow.models.base import _get_schema, naming_convention
 
 if TYPE_CHECKING:

airflow/providers/fab/auth_manager/models/anonymous_user.py

@@ -20,7 +20,7 @@ from __future__ import annotations
 from flask import current_app
 from flask_login import AnonymousUserMixin
 
-from airflow.auth.managers.models.base_user import BaseUser
+from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
 
 
 class AnonymousUser(AnonymousUserMixin, BaseUser):

airflow/providers/fab/auth_manager/models/db.py

@@ -31,6 +31,20 @@ _REVISION_HEADS_MAP: dict[str, str] = {
 }
 
 
+def _get_flask_db(sql_database_uri):
+    from flask import Flask
+    from flask_sqlalchemy import SQLAlchemy
+
+    from airflow.providers.fab.www.session import AirflowDatabaseSessionInterface
+
+    flask_app = Flask(__name__)
+    flask_app.config["SQLALCHEMY_DATABASE_URI"] = sql_database_uri
+    flask_app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
+    db = SQLAlchemy(flask_app)
+    AirflowDatabaseSessionInterface(app=flask_app, db=db, table="session", key_prefix="")
+    return db
+
+
 class FABDBManager(BaseDBManager):
     """Manages FAB database."""
 
@@ -40,6 +54,10 @@ class FABDBManager(BaseDBManager):
     alembic_file = (PACKAGE_DIR / "alembic.ini").as_posix()
     supports_table_dropping = True
 
+    def create_db_from_orm(self):
+        super().create_db_from_orm()
+        _get_flask_db(settings.SQL_ALCHEMY_CONN).create_all()
+
     def upgradedb(self, to_revision=None, from_revision=None, show_sql_only=False):
         """Upgrade the database."""
         if from_revision and not show_sql_only:
@@ -68,11 +86,6 @@ class FABDBManager(BaseDBManager):
             _offline_migration(command.upgrade, config, f"{from_revision}:{to_revision}")
             return  # only running sql; our job is done
 
-        if not self.get_current_revision():
-            # New DB; initialize and exit
-            self.initdb()
-            return
-
         command.upgrade(config, revision=to_revision or "heads")
 
     def downgrade(self, to_revision, from_revision=None, show_sql_only=False):
@@ -104,3 +117,7 @@ class FABDBManager(BaseDBManager):
         else:
             self.log.info("Applying FAB downgrade migrations.")
             command.downgrade(config, revision=to_revision, sql=show_sql_only)
+
+    def drop_tables(self, connection):
+        super().drop_tables(connection)
+        _get_flask_db(settings.SQL_ALCHEMY_CONN).drop_all()

airflow/providers/fab/auth_manager/openapi/v1.yaml

@@ -687,12 +687,21 @@ components:
     Basic:
       type: http
       scheme: basic
+      description: To authenticate FAB auth manager API requests, clients have the option to use basic
+        authentication. To learn more about FAB auth manager API authentication, please read
+        https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/api-authentication.html#basic-authentication.
     GoogleOpenId:
       type: openIdConnect
       openIdConnectUrl: https://accounts.google.com/.well-known/openid-configuration
+      description: To authenticate FAB auth manager API requests, clients have the option to use Google OpenID.
+        To learn more about Google OpenID authentication, please read
+        https://airflow.apache.org/docs/apache-airflow-providers-google/stable/api-auth-backend/google-openid.html.
     Kerberos:
       type: http
       scheme: negotiate
+      description: To authenticate FAB auth manager API requests, clients have the option to use Kerberos
+        authentication. To learn more about FAB auth manager API authentication, please read
+        https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/api-authentication.html#kerberos-authentication.
 
 tags:
   - name: Role