apache-airflow-providers-fab 2.0.2rc2__py3-none-any.whl → 2.1.0__py3-none-any.whl

airflow/providers/fab/__init__.py

@@ -29,11 +29,11 @@ from airflow import __version__ as airflow_version
 
 __all__ = ["__version__"]
 
-__version__ = "2.0.2"
+__version__ = "2.1.0"
 
 if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
-    "3.0.0"
+    "3.0.2"
 ):
     raise RuntimeError(
-        f"The package `apache-airflow-providers-fab:{__version__}` needs Apache Airflow 3.0.0+"
+        f"The package `apache-airflow-providers-fab:{__version__}` needs Apache Airflow 3.0.2+"
     )

airflow/providers/fab/auth_manager/api_endpoints/role_and_permission_endpoint.py

@@ -123,6 +123,8 @@ def patch_role(*, role_name: str, update_mask: UpdateMask = None) -> APIResponse
     """Update a role."""
     security_manager = cast("FabAuthManager", get_auth_manager()).security_manager
     body = request.json
+    if body is None:
+        raise BadRequest("Request body is required")
     try:
         data = role_schema.load(body)
     except ValidationError as err:
@@ -156,6 +158,8 @@ def post_role() -> APIResponse:
     """Create a new role."""
     security_manager = cast("FabAuthManager", get_auth_manager()).security_manager
     body = request.json
+    if body is None:
+        raise BadRequest("Request body is required")
     try:
         data = role_schema.load(body)
     except ValidationError as err:

airflow/providers/fab/auth_manager/api_endpoints/user_endpoint.py

@@ -88,6 +88,8 @@ def get_users(*, limit: int, order_by: str = "id", offset: str | None = None) ->
 @requires_access_custom_view("POST", permissions.RESOURCE_USER)
 def post_user() -> APIResponse:
     """Create a new user."""
+    if request.json is None:
+        raise BadRequest("Request body is required")
     try:
         data = user_schema.load(request.json)
     except ValidationError as e:
@@ -131,6 +133,8 @@ def post_user() -> APIResponse:
 @requires_access_custom_view("PUT", permissions.RESOURCE_USER)
 def patch_user(*, username: str, update_mask: UpdateMask = None) -> APIResponse:
     """Update a user."""
+    if request.json is None:
+        raise BadRequest("Request body is required")
     try:
         data = user_schema.load(request.json)
     except ValidationError as e:

airflow/providers/fab/auth_manager/models/__init__.py

@@ -102,11 +102,37 @@ assoc_permission_role = Table(
     "ab_permission_view_role",
     Model.metadata,
     Column("id", Integer, primary_key=True),
-    Column("permission_view_id", Integer, ForeignKey("ab_permission_view.id")),
-    Column("role_id", Integer, ForeignKey("ab_role.id")),
+    Column(
+        "permission_view_id",
+        Integer,
+        ForeignKey("ab_permission_view.id", ondelete="CASCADE"),
+    ),
+    Column("role_id", Integer, ForeignKey("ab_role.id", ondelete="CASCADE")),
     UniqueConstraint("permission_view_id", "role_id"),
 )
 
+assoc_user_group = Table(
+    "ab_user_group",
+    Model.metadata,
+    Column("id", Integer, primary_key=True),
+    Column("user_id", Integer, ForeignKey("ab_user.id", ondelete="CASCADE")),
+    Column("group_id", Integer, ForeignKey("ab_group.id", ondelete="CASCADE")),
+    UniqueConstraint("user_id", "group_id"),
+    Index("idx_user_id", "user_id"),
+    Index("idx_user_group_id", "group_id"),
+)
+
+assoc_group_role = Table(
+    "ab_group_role",
+    Model.metadata,
+    Column("id", Integer, primary_key=True),
+    Column("group_id", Integer, ForeignKey("ab_group.id", ondelete="CASCADE")),
+    Column("role_id", Integer, ForeignKey("ab_role.id", ondelete="CASCADE")),
+    UniqueConstraint("group_id", "role_id"),
+    Index("idx_group_id", "group_id"),
+    Index("idx_group_role_id", "role_id"),
+)
+
 
 class Role(Model):
     """Represents a user role to which permissions can be assigned."""
@@ -115,7 +141,29 @@ class Role(Model):
 
     id = Column(Integer, primary_key=True)
     name = Column(String(64), unique=True, nullable=False)
-    permissions = relationship("Permission", secondary=assoc_permission_role, backref="role", lazy="joined")
+    permissions = relationship(
+        "Permission",
+        secondary=assoc_permission_role,
+        backref="role",
+        lazy="joined",
+        passive_deletes=True,
+    )
+
+    def __repr__(self):
+        return self.name
+
+
+class Group(Model):
+    """Represents a user group."""
+
+    __tablename__ = "ab_group"
+
+    id = Column(Integer, primary_key=True)
+    name = Column(String(100), unique=True, nullable=False)
+    label = Column(String(150))
+    description = Column(String(512))
+    users = relationship("User", secondary=assoc_user_group, backref="groups", passive_deletes=True)
+    roles = relationship("Role", secondary=assoc_group_role, backref="groups", passive_deletes=True)
 
     def __repr__(self):
         return self.name
@@ -148,8 +196,8 @@ assoc_user_role = Table(
     "ab_user_role",
     Model.metadata,
     Column("id", Integer, primary_key=True),
-    Column("user_id", Integer, ForeignKey("ab_user.id")),
-    Column("role_id", Integer, ForeignKey("ab_role.id")),
+    Column("user_id", Integer, ForeignKey("ab_user.id", ondelete="CASCADE")),
+    Column("role_id", Integer, ForeignKey("ab_role.id", ondelete="CASCADE")),
     UniqueConstraint("user_id", "role_id"),
 )
 
@@ -170,7 +218,9 @@ class User(Model, BaseUser):
     last_login = Column(DateTime)
     login_count = Column(Integer)
     fail_login_count = Column(Integer)
-    roles = relationship("Role", secondary=assoc_user_role, backref="user", lazy="selectin")
+    roles = relationship(
+        "Role", secondary=assoc_user_role, backref="user", lazy="selectin", passive_deletes=True
+    )
     created_on = Column(DateTime, default=datetime.datetime.now, nullable=True)
     changed_on = Column(DateTime, default=datetime.datetime.now, nullable=True)
 

airflow/providers/fab/auth_manager/models/anonymous_user.py

@@ -37,13 +37,17 @@ class AnonymousUser(AnonymousUserMixin, BaseUser):
         if not self._roles:
             public_role = current_app.config.get("AUTH_ROLE_PUBLIC", None)
             self._roles = {current_app.appbuilder.sm.find_role(public_role)} if public_role else set()
-        return self._roles
+        return list(self._roles)
 
     @roles.setter
     def roles(self, roles):
         self._roles = roles
         self._perms = set()
 
+    @property
+    def groups(self):
+        return []
+
     @property
     def perms(self):
         if not self._perms:

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -55,6 +55,7 @@ from flask_appbuilder.security.views import (
     AuthOIDView,
     AuthRemoteUserView,
     RegisterUserModelView,
+    UserGroupModelView,
 )
 from flask_babel import lazy_gettext
 from flask_jwt_extended import JWTManager
@@ -71,6 +72,7 @@ from airflow.exceptions import AirflowException
 from airflow.models import DagBag
 from airflow.providers.fab.auth_manager.models import (
     Action,
+    Group,
     Permission,
     RegisterUser,
     Resource,
@@ -100,10 +102,7 @@ from airflow.providers.fab.auth_manager.views.user_edit import (
 from airflow.providers.fab.auth_manager.views.user_stats import CustomUserStatsChartView
 from airflow.providers.fab.www.security import permissions
 from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
-from airflow.providers.fab.www.session import (
-    AirflowDatabaseSessionInterface,
-    AirflowDatabaseSessionInterface as FabAirflowDatabaseSessionInterface,
-)
+from airflow.providers.fab.www.session import AirflowDatabaseSessionInterface
 from airflow.security.permissions import RESOURCE_BACKFILL
 
 if TYPE_CHECKING:
@@ -149,6 +148,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     """ Models """
     user_model = User
     role_model = Role
+    group_model = Group
     action_model = Action
     resource_model = Resource
     permission_model = Permission
@@ -173,6 +173,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     actionmodelview = ActionModelView
     permissionmodelview = PermissionPairModelView
     rolemodelview = CustomRoleModelView
+    groupmodelview = UserGroupModelView
     registeruser_model = RegisterUser
     registerusermodelview = RegisterUserModelView
     resourcemodelview = ResourceModelView
@@ -450,7 +451,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         role_view = self.appbuilder.add_view(
             self.rolemodelview,
             "List Roles",
-            icon="fa-group",
+            icon="fa-user-gear",
             label=lazy_gettext("List Roles"),
             category="Security",
             category_icon="fa-cogs",
@@ -532,12 +533,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         return self.update_user(user)
 
     def reset_user_sessions(self, user: User) -> None:
-        if isinstance(
-            self.appbuilder.get_app.session_interface, AirflowDatabaseSessionInterface
-        ) or isinstance(
-            self.appbuilder.get_app.session_interface,
-            FabAirflowDatabaseSessionInterface,
-        ):
+        if isinstance(self.appbuilder.get_app.session_interface, AirflowDatabaseSessionInterface):
             interface = self.appbuilder.get_app.session_interface
             session = interface.db.session
             user_session_model = interface.sql_session_model
@@ -859,6 +855,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             self.registerusermodelview.datamodel = SQLAInterface(self.registeruser_model)
 
         self.rolemodelview.datamodel = SQLAInterface(self.role_model)
+        self.groupmodelview.datamodel = SQLAInterface(self.group_model)
         self.actionmodelview.datamodel = SQLAInterface(self.action_model)
         self.resourcemodelview.datamodel = SQLAInterface(self.resource_model)
         self.permissionmodelview.datamodel = SQLAInterface(self.permission_model)
@@ -875,7 +872,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         try:
             engine = self.get_session.get_bind(mapper=None, clause=None)
             inspector = inspect(engine)
-            if "ab_user" not in inspector.get_table_names():
+            existing_tables = inspector.get_table_names()
+            if "ab_user" not in existing_tables or "ab_group" not in existing_tables:
                 log.info(const.LOGMSG_INF_SEC_NO_DB)
                 Base.metadata.create_all(engine)
                 log.info(const.LOGMSG_INF_SEC_ADD_DB)
@@ -1311,15 +1309,20 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
     def add_user(
         self,
-        username,
-        first_name,
-        last_name,
-        email,
-        role,
-        password="",
-        hashed_password="",
+        username: str,
+        first_name: str,
+        last_name: str,
+        email: str,
+        role: list[Role] | Role | None = None,
+        password: str = "",
+        hashed_password: str = "",
+        groups: list[Group] | None = None,
     ):
         """Create a user."""
+        roles: list[Role] = []
+        if role:
+            roles = role if isinstance(role, list) else [role]
+
         try:
             user = self.user_model()
             user.first_name = first_name
@@ -1328,7 +1331,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             user.email = email
             user.active = True
             self.get_session.add(user)
-            user.roles = role if isinstance(role, list) else [role]
+            user.roles = roles
+            user.groups = groups or []
             if hashed_password:
                 user.password = hashed_password
             else:
@@ -1692,7 +1696,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """
         if user is None:
             user = g.user
-        return user.roles
+        return user.roles + [role for group in user.groups for role in group.roles]
 
     """
     --------------------

airflow/providers/fab/get_provider_info.py

@@ -30,6 +30,20 @@ def get_provider_info():
             "fab": {
                 "description": "This section contains configs specific to FAB provider.",
                 "options": {
+                    "access_denied_message": {
+                        "description": "The message displayed when a user attempts to execute actions beyond their authorised privileges.\n",
+                        "version_added": "2.1.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "Access is Denied",
+                    },
+                    "expose_hostname": {
+                        "description": "Expose hostname in the web server\n",
+                        "version_added": "2.1.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "False",
+                    },
                     "auth_rate_limited": {
                         "description": "Boolean for enabling rate limiting on authentication endpoints.\n",
                         "version_added": "1.0.2",
@@ -79,6 +93,48 @@ def get_provider_info():
                         "example": None,
                         "default": "43200",
                     },
+                    "enable_proxy_fix": {
+                        "description": "Enable werkzeug ``ProxyFix`` middleware for reverse proxy\n",
+                        "version_added": "2.1.0",
+                        "type": "boolean",
+                        "example": None,
+                        "default": "False",
+                    },
+                    "proxy_fix_x_for": {
+                        "description": "Number of values to trust for ``X-Forwarded-For``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_proto": {
+                        "description": "Number of values to trust for ``X-Forwarded-Proto``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_host": {
+                        "description": "Number of values to trust for ``X-Forwarded-Host``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_port": {
+                        "description": "Number of values to trust for ``X-Forwarded-Port``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
+                    "proxy_fix_x_prefix": {
+                        "description": "Number of values to trust for ``X-Forwarded-Prefix``.\nSee `Werkzeug: X-Forwarded-For Proxy Fix\n<https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.\n",
+                        "version_added": "2.1.0",
+                        "type": "integer",
+                        "example": None,
+                        "default": "1",
+                    },
                 },
             }
         },

airflow/providers/fab/www/app.py

@@ -41,6 +41,7 @@ from airflow.providers.fab.www.extensions.init_views import (
     init_error_handlers,
     init_plugins,
 )
+from airflow.providers.fab.www.extensions.init_wsgi_middlewares import init_wsgi_middleware
 from airflow.providers.fab.www.utils import get_session_lifetime_config
 
 app: Flask | None = None
@@ -103,6 +104,7 @@ def create_app(enable_plugins: bool):
         init_jinja_globals(flask_app, enable_plugins=enable_plugins)
         init_xframe_protection(flask_app)
         init_airflow_session_interface(flask_app)
+        init_wsgi_middleware(flask_app)
     return flask_app
 
 

airflow/providers/fab/www/auth.py

@@ -61,7 +61,7 @@ log = logging.getLogger(__name__)
 
 
 def get_access_denied_message():
-    return conf.get("webserver", "access_denied_message")
+    return conf.get("fab", "access_denied_message")
 
 
 def has_access_with_pk(f):
@@ -145,7 +145,7 @@ def _has_access(*, is_authorized: bool, func: Callable, args, kwargs):
         return (
             render_template(
                 "airflow/no_roles_permissions.html",
-                hostname=get_hostname() if conf.getboolean("webserver", "EXPOSE_HOSTNAME") else "",
+                hostname=get_hostname() if conf.getboolean("fab", "EXPOSE_HOSTNAME") else "",
                 logout_url=get_fab_auth_manager().get_url_logout(),
             ),
             403,
@@ -217,7 +217,7 @@ def has_access_dag(method: ResourceMethod, access_entity: DagAccessEntity | None
                 return (
                     render_template(
                         "airflow/no_roles_permissions.html",
-                        hostname=get_hostname() if conf.getboolean("webserver", "EXPOSE_HOSTNAME") else "",
+                        hostname=get_hostname() if conf.getboolean("fab", "EXPOSE_HOSTNAME") else "",
                         logout_url=get_auth_manager().get_url_logout(),
                     ),
                     403,

airflow/providers/fab/www/extensions/init_jinja_globals.py

@@ -37,7 +37,7 @@ def init_jinja_globals(app, enable_plugins: bool):
     elif server_timezone == "utc":
         server_timezone = "UTC"
 
-    expose_hostname = conf.getboolean("webserver", "EXPOSE_HOSTNAME")
+    expose_hostname = conf.getboolean("fab", "EXPOSE_HOSTNAME")
     hostname = get_hostname() if expose_hostname else "redact"
 
     try:

airflow/providers/fab/www/extensions/init_wsgi_middlewares.py

@@ -0,0 +1,41 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from werkzeug.middleware.proxy_fix import ProxyFix
+
+from airflow.configuration import conf
+
+if TYPE_CHECKING:
+    from flask import Flask
+
+
+def init_wsgi_middleware(flask_app: Flask) -> None:
+    """Handle X-Forwarded-* headers and base_url support."""
+    # Apply ProxyFix middleware
+    if conf.getboolean("fab", "ENABLE_PROXY_FIX"):
+        flask_app.wsgi_app = ProxyFix(  # type: ignore
+            flask_app.wsgi_app,
+            x_for=conf.getint("fab", "PROXY_FIX_X_FOR", fallback=1),
+            x_proto=conf.getint("fab", "PROXY_FIX_X_PROTO", fallback=1),
+            x_host=conf.getint("fab", "PROXY_FIX_X_HOST", fallback=1),
+            x_port=conf.getint("fab", "PROXY_FIX_X_PORT", fallback=1),
+            x_prefix=conf.getint("fab", "PROXY_FIX_X_PREFIX", fallback=1),
+        )