apache-airflow-providers-fab 2.4.1rc1__py3-none-any.whl → 2.4.2rc1__py3-none-any.whl

airflow/providers/fab/__init__.py

@@ -29,7 +29,7 @@ from airflow import __version__ as airflow_version
 
 __all__ = ["__version__"]
 
-__version__ = "2.4.1"
+__version__ = "2.4.2"
 
 if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
     "3.0.2"

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -75,6 +75,7 @@ from airflow.providers.fab.www.extensions.init_views import (
 )
 from airflow.providers.fab.www.security import permissions
 from airflow.providers.fab.www.security.permissions import (
+    ACTION_CAN_READ,
     RESOURCE_AUDIT_LOG,
     RESOURCE_CLUSTER_ACTIVITY,
     RESOURCE_CONFIG,
@@ -82,6 +83,7 @@ from airflow.providers.fab.www.security.permissions import (
     RESOURCE_DAG,
     RESOURCE_DAG_CODE,
     RESOURCE_DAG_DEPENDENCIES,
+    RESOURCE_DAG_PREFIX,
     RESOURCE_DAG_RUN,
     RESOURCE_DAG_VERSION,
     RESOURCE_DAG_WARNING,
@@ -323,40 +325,52 @@ class FabAuthManager(BaseAuthManager[User]):
 
         There are multiple scenarios:
 
-        1. ``access_entity`` is not provided which means the user wants to access the DAG itself and not a sub
-        entity (e.g. DAG runs).
-        2. ``access_entity`` is provided which means the user wants to access a sub entity of the DAG
-        (e.g. DAG runs).
+        1. ``method`` is "GET" and no details are provided which means the user wants to list Dags (or sub entities of Dags).
+        2. ``access_entity`` is not provided which means the user wants to access the DAG itself and not a sub
+            entity (e.g. Task instances).
+        3. ``access_entity`` is provided which means the user wants to access a sub entity of the DAG
+            (e.g. DAG runs).
 
             a. If ``method`` is GET, then check the user has READ permissions on the DAG and the sub entity.
-            b. Else, check the user has EDIT permissions on the DAG and ``method`` on the sub entity. However,
-                if no specific DAG is targeted, just check the sub entity.
+            b. Else, check the user has EDIT permissions on the DAG and ``method`` on the sub entity.
 
         :param method: The method to authorize.
         :param user: The user performing the action.
         :param access_entity: The dag access entity.
         :param details: The dag details.
         """
-        if not access_entity:
+        if access_entity:
+            # If a sub-Dag entity is specified, check whether the user has access to it
+            resource_types = self._get_fab_resource_types(access_entity)
+            access_entity_authorized = all(
+                self._is_authorized(method=method, resource_type=resource_type, user=user)
+                for resource_type in resource_types
+            )
+            if access_entity == DagAccessEntity.RUN and details and details.id:
+                # Check using the deprecated permission prefix "DAG Run" to check whether the user has access to dag runs
+                is_authorized_run = self._is_authorized(
+                    method=method,
+                    resource_type=permissions.resource_name(details.id, RESOURCE_DAG_RUN),
+                    user=user,
+                )
+                if not (is_authorized_run or access_entity_authorized):
+                    return False
+            elif not access_entity_authorized:
+                return False
+
+        if method == "GET" and (not details or not details.id):
             # Scenario 1
+            return self._is_authorized_list_dags(user=user)
+        if not access_entity:
+            # Scenario 2
             return self._is_authorized_dag(method=method, details=details, user=user)
-        # Scenario 2
-        resource_types = self._get_fab_resource_types(access_entity)
+        # Scenario 3
         dag_method: ResourceMethod = "GET" if method == "GET" else "PUT"
-
         if (details and details.id) and not self._is_authorized_dag(
             method=dag_method, details=details, user=user
         ):
             return False
-
-        return all(
-            (
-                self._is_authorized(method=method, resource_type=resource_type, user=user)
-                if resource_type != RESOURCE_DAG_RUN or not hasattr(permissions, "resource_name")
-                else self._is_authorized_dag_run(method=method, details=details, user=user)
-            )
-            for resource_type in resource_types
-        )
+        return True
 
     def is_authorized_backfill(
         self,
@@ -545,7 +559,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
         :param method: the method to perform
         :param resource_type: the type of resource the user attempts to perform the action on
-        :param user: the user to performing the action
+        :param user: the user performing the action
 
         :meta private:
         """
@@ -565,7 +579,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
         :param method: the method to perform
         :param details: details about the DAG
-        :param user: the user to performing the action
+        :param user: the user performing the action
 
         :meta private:
         """
@@ -577,34 +591,25 @@ class FabAuthManager(BaseAuthManager[User]):
             # Check whether the user has permissions to access a specific DAG
             resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG)
             return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)
-        authorized_dags = self.get_authorized_dag_ids(user=user, method=method)
-        return len(authorized_dags) > 0
+        return False
 
-    def _is_authorized_dag_run(
-        self,
-        method: ResourceMethod,
-        details: DagDetails | None,
-        user: User,
-    ) -> bool:
+    def _is_authorized_list_dags(self, *, user: User) -> bool:
         """
-        Return whether the user is authorized to perform a given action on a DAG Run.
+        Return whether the user is authorized to list Dags.
 
-        :param method: the method to perform
-        :param details: details about the DAG
-        :param user: the user to performing the action
+        :param user: the user performing the action
 
         :meta private:
         """
-        is_global_authorized = self._is_authorized(method=method, resource_type=RESOURCE_DAG_RUN, user=user)
+        is_global_authorized = self._is_authorized(method="GET", resource_type=RESOURCE_DAG, user=user)
         if is_global_authorized:
             return True
 
-        if details and details.id:
-            # Check whether the user has permissions to access a specific DAG Run permission on a DAG Level
-            resource_dag_name = permissions.resource_name(details.id, RESOURCE_DAG_RUN)
-            return self._is_authorized(method=method, resource_type=resource_dag_name, user=user)
-        authorized_dags = self.get_authorized_dag_ids(user=user, method=method)
-        return len(authorized_dags) > 0
+        user_permissions = self._get_user_permissions(user)
+        for action, resource in user_permissions:
+            if action == ACTION_CAN_READ and resource.startswith(RESOURCE_DAG_PREFIX):
+                return True
+        return False
 
     @staticmethod
     def _get_fab_action(method: ExtendedResourceMethod) -> str:

airflow/providers/fab/auth_manager/models/__init__.py

@@ -288,8 +288,8 @@ class User(Model, BaseUser):
                 }
         return self._perms
 
-    def get_id(self):
-        return self.id
+    def get_id(self) -> str:
+        return str(self.id)
 
     def get_name(self) -> str:
         return self.username or self.email or self.user_id

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -63,14 +63,13 @@ from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from itsdangerous import want_bytes
 from markupsafe import Markup, escape
-from sqlalchemy import func, inspect, or_, select
+from sqlalchemy import delete, func, inspect, or_, select
 from sqlalchemy.exc import MultipleResultsFound
 from sqlalchemy.orm import joinedload
 from werkzeug.security import check_password_hash, generate_password_hash
 
 from airflow.configuration import conf
 from airflow.exceptions import AirflowException
-from airflow.models import DagBag
 from airflow.providers.fab.auth_manager.models import (
     Action,
     Group,
@@ -101,6 +100,7 @@ from airflow.providers.fab.auth_manager.views.user_edit import (
     CustomUserInfoEditView,
 )
 from airflow.providers.fab.auth_manager.views.user_stats import CustomUserStatsChartView
+from airflow.providers.fab.version_compat import AIRFLOW_V_3_1_PLUS
 from airflow.providers.fab.www.security import permissions
 from airflow.providers.fab.www.security_manager import AirflowSecurityManagerV2
 from airflow.providers.fab.www.session import AirflowDatabaseSessionInterface
@@ -111,12 +111,29 @@ if TYPE_CHECKING:
         RESOURCE_ASSET,
         RESOURCE_ASSET_ALIAS,
     )
+    from airflow.sdk import DAG
 else:
     from airflow.providers.common.compat.security.permissions import (
         RESOURCE_ASSET,
         RESOURCE_ASSET_ALIAS,
     )
 
+if AIRFLOW_V_3_1_PLUS:
+    from airflow.models.dagbag import DBDagBag
+    from airflow.utils.session import create_session
+
+    def _iter_dags() -> Iterable[DAG]:
+        with create_session() as session:
+            yield from DBDagBag().iter_all_latest_version_dags(session=session)
+else:
+    from airflow.models.dagbag import DagBag
+
+    def _iter_dags() -> Iterable[DAG]:
+        dagbag = DagBag(read_dags_from_db=True)  # type: ignore[call-arg]
+        dagbag.collect_dags_from_db()  # type: ignore[attr-defined]
+        return dagbag.dags.values()
+
+
 log = logging.getLogger(__name__)
 
 # This is the limit of DB user sessions that we consider as "healthy". If you have more sessions that this
@@ -548,7 +565,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             interface = self.appbuilder.get_app.session_interface
             session = interface.db.session
             user_session_model = interface.sql_session_model
-            num_sessions = session.query(user_session_model).count()
+            num_sessions = session.scalars(select(func.count()).select_from(user_session_model)).one()
             if num_sessions > MAX_NUM_DATABASE_USER_SESSIONS:
                 safe_username = escape(user.username)
                 self._cli_safe_flash(
@@ -563,7 +580,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                     "warning",
                 )
             else:
-                for s in session.query(user_session_model):
+                for s in session.scalars(select(user_session_model)).all():
                     session_details = interface.serializer.loads(want_bytes(s.data))
                     if session_details.get("_user_id") == user.id:
                         session.delete(s)
@@ -938,11 +955,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         if you only need to sync a single DAG.
         """
         perms = self.get_all_permissions()
-        dagbag = DagBag(read_dags_from_db=True)
-        dagbag.collect_dags_from_db()
-        dags = dagbag.dags.values()
 
-        for dag in dags:
+        for dag in _iter_dags():
+            print(dag)
             for resource_name, resource_values in self.RESOURCE_DETAILS_MAP.items():
                 dag_resource_name = permissions.resource_name(dag.dag_id, resource_name)
                 for action_name in resource_values["actions"]:
@@ -1194,12 +1209,14 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """FAB leaves faulty permissions that need to be cleaned up."""
         self.log.debug("Cleaning faulty perms")
         sesh = self.appbuilder.get_session
-        perms = sesh.query(Permission).filter(
-            or_(
-                Permission.action == None,  # noqa: E711
-                Permission.resource == None,  # noqa: E711
+        perms = sesh.scalars(
+            select(Permission).where(
+                or_(
+                    Permission.action == None,  # noqa: E711
+                    Permission.resource == None,  # noqa: E711
+                )
             )
-        )
+        ).all()
         # Since FAB doesn't define ON DELETE CASCADE on these tables, we need
         # to delete the _object_ so that SQLA knows to delete the many-to-many
         # relationship object too. :(
@@ -1277,10 +1294,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
         :param name: the role name
         """
-        return self.get_session.query(self.role_model).filter_by(name=name).one_or_none()
+        return self.get_session.scalars(select(self.role_model).filter_by(name=name)).unique().one_or_none()
 
     def get_all_roles(self):
-        return self.get_session.query(self.role_model).all()
+        return self.get_session.scalars(select(self.role_model)).unique().all()
 
     def delete_role(self, role_name: str) -> None:
         """
@@ -1289,10 +1306,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         :param role_name: the name of a role in the ab_role table
         """
         session = self.get_session
-        role = session.query(Role).filter(Role.name == role_name).first()
+        role = session.scalars(select(Role).where(Role.name == role_name)).first()
         if role:
             log.info("Deleting role '%s'", role_name)
-            session.delete(role)
+            session.execute(delete(Role).where(Role.name == role_name))
             session.commit()
         else:
             raise AirflowException(f"Role named '{role_name}' does not exist")
@@ -1323,7 +1340,11 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         return _roles
 
     def get_public_role(self):
-        return self.get_session.query(self.role_model).filter_by(name=self.auth_role_public).one_or_none()
+        return (
+            self.get_session.scalars(select(self.role_model).filter_by(name=self.auth_role_public))
+            .unique()
+            .one_or_none()
+        )
 
     """
     -----------
@@ -1380,7 +1401,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
     def count_users(self):
         """Return the number of users in the database."""
-        return self.get_session.query(func.count(self.user_model.id)).scalar()
+        return self.get_session.scalar(select(func.count(self.user_model.id)))
 
     def add_register_user(self, username, first_name, last_name, email, password="", hashed_password=""):
         """
@@ -1412,22 +1433,22 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         if username:
             try:
                 if self.auth_username_ci:
-                    return (
-                        self.get_session.query(self.user_model)
-                        .filter(func.lower(self.user_model.username) == func.lower(username))
-                        .one_or_none()
+                    return self.get_session.scalars(
+                        select(self.user_model).where(
+                            func.lower(self.user_model.username) == func.lower(username)
+                        )
+                    ).one_or_none()
+                return self.get_session.scalars(
+                    select(self.user_model).where(
+                        func.lower(self.user_model.username) == func.lower(username)
                     )
-                return (
-                    self.get_session.query(self.user_model)
-                    .filter(func.lower(self.user_model.username) == func.lower(username))
-                    .one_or_none()
-                )
+                ).one_or_none()
             except MultipleResultsFound:
                 log.error("Multiple results found for user %s", username)
                 return None
         elif email:
             try:
-                return self.get_session.query(self.user_model).filter_by(email=email).one_or_none()
+                return self.get_session.scalars(select(self.user_model).filter_by(email=email)).one_or_none()
             except MultipleResultsFound:
                 log.error("Multiple results found for user with email %s", email)
                 return None
@@ -1459,7 +1480,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             return False
 
     def get_all_users(self):
-        return self.get_session.query(self.user_model).all()
+        return self.get_session.scalars(select(self.user_model)).all()
 
     def update_user_auth_stat(self, user, success=True):
         """
@@ -1499,7 +1520,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
         :param name: name
         """
-        return self.get_session.query(self.action_model).filter_by(name=name).one_or_none()
+        return self.get_session.scalars(select(self.action_model).filter_by(name=name)).one_or_none()
 
     def create_action(self, name):
         """
@@ -1532,11 +1553,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             log.warning(const.LOGMSG_WAR_SEC_DEL_PERMISSION, name)
             return False
         try:
-            perms = (
-                self.get_session.query(self.permission_model)
-                .filter(self.permission_model.action == action)
-                .all()
-            )
+            perms = self.get_session.scalars(
+                select(self.permission_model).where(self.permission_model.action == action)
+            ).all()
             if perms:
                 log.warning(const.LOGMSG_WAR_SEC_DEL_PERM_PVM, action, perms)
                 return False
@@ -1560,7 +1579,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
         :param name: Name of resource
         """
-        return self.get_session.query(self.resource_model).filter_by(name=name).one_or_none()
+        return self.get_session.scalars(select(self.resource_model).filter_by(name=name)).one_or_none()
 
     def create_resource(self, name) -> Resource | None:
         """
@@ -1602,10 +1621,13 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         resource = self.get_resource(resource_name)
         if action and resource:
             return (
-                self.get_session.query(self.permission_model)
-                .filter_by(action=action, resource=resource)
+                self.get_session.scalars(
+                    select(self.permission_model).filter_by(action=action, resource=resource)
+                )
+                .unique()
                 .one_or_none()
             )
+
         return None
 
     def get_resource_permissions(self, resource: Resource) -> Permission:
@@ -1614,7 +1636,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
 
         :param resource: Object representing a single resource.
         """
-        return self.get_session.query(self.permission_model).filter_by(resource_id=resource.id).all()
+        return self.get_session.scalars(
+            select(self.permission_model).filter_by(resource_id=resource.id)
+        ).all()
 
     def create_permission(self, action_name, resource_name) -> Permission | None:
         """
@@ -1661,9 +1685,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         perm = self.get_permission(action_name, resource_name)
         if not perm:
             return
-        roles = (
-            self.get_session.query(self.role_model).filter(self.role_model.permissions.contains(perm)).first()
-        )
+        roles = self.get_session.scalars(
+            select(self.role_model).where(self.role_model.permissions.contains(perm))
+        ).first()
         if roles:
             log.warning(const.LOGMSG_WAR_SEC_DEL_PERMVIEW, resource_name, action_name, roles)
             return
@@ -1672,7 +1696,9 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             self.get_session.delete(perm)
             self.get_session.commit()
             # if no more permission on permission view, delete permission
-            if not self.get_session.query(self.permission_model).filter_by(action=perm.action).all():
+            if not self.get_session.scalars(
+                select(self.permission_model).filter_by(action=perm.action)
+            ).all():
                 self.delete_action(perm.action.name)
             log.info(const.LOGMSG_INF_SEC_DEL_PERMVIEW, action_name, resource_name)
         except Exception as e:
@@ -2178,7 +2204,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     def oauth_token_getter():
         """Get authentication (OAuth) token."""
         token = session.get("oauth")
-        log.debug("Token Get: %s", token)
+        log.debug("OAuth token retrieved from session.")
         return token
 
     @staticmethod

airflow/providers/fab/get_provider_info.py

@@ -30,6 +30,20 @@ def get_provider_info():
             "fab": {
                 "description": "This section contains configs specific to FAB provider.",
                 "options": {
+                    "cookie_secure": {
+                        "description": "Cookie with the secure attribute is only sent to the server with an HTTPS connection.\n",
+                        "version_added": "2.4.0",
+                        "type": "boolean",
+                        "example": None,
+                        "default": "False",
+                    },
+                    "cookie_samesite": {
+                        "description": "Whether the cookie is restricted to a first-party or same-site context.\n",
+                        "version_added": "2.4.0",
+                        "type": "string",
+                        "example": None,
+                        "default": "Lax",
+                    },
                     "navbar_color": {
                         "description": "Define the color of navigation bar\n",
                         "version_added": "2.2.0",