apache-airflow-providers-fab 3.0.1__py3-none-any.whl → 3.1.0rc1__py3-none-any.whl

airflow/providers/fab/auth_manager/api_fastapi/routes/roles.py

@@ -0,0 +1,137 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from fastapi import Depends, Path, Query, status
+
+from airflow.api_fastapi.common.router import AirflowRouter
+from airflow.api_fastapi.core_api.openapi.exceptions import create_openapi_http_exception_doc
+from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import (
+    RoleBody,
+    RoleCollectionResponse,
+    RoleResponse,
+)
+from airflow.providers.fab.auth_manager.api_fastapi.parameters import get_effective_limit
+from airflow.providers.fab.auth_manager.api_fastapi.security import requires_fab_custom_view
+from airflow.providers.fab.auth_manager.api_fastapi.services.roles import FABAuthManagerRoles
+from airflow.providers.fab.auth_manager.cli_commands.utils import get_application_builder
+from airflow.providers.fab.www.security import permissions
+
+if TYPE_CHECKING:
+    from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import (
+        RoleBody,
+        RoleResponse,
+    )
+
+
+roles_router = AirflowRouter(prefix="/fab/v1", tags=["FabAuthManager"])
+
+
+@roles_router.post(
+    "/roles",
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_400_BAD_REQUEST,
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_409_CONFLICT,
+            status.HTTP_500_INTERNAL_SERVER_ERROR,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("POST", permissions.RESOURCE_ROLE))],
+)
+def create_role(body: RoleBody) -> RoleResponse:
+    """Create a new role (actions can be empty)."""
+    with get_application_builder():
+        return FABAuthManagerRoles.create_role(body=body)
+
+
+@roles_router.get(
+    "/roles",
+    response_model=RoleCollectionResponse,
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_400_BAD_REQUEST,
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_500_INTERNAL_SERVER_ERROR,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("GET", permissions.RESOURCE_ROLE))],
+)
+def get_roles(
+    order_by: str = Query("name", description="Field to order by. Prefix with '-' for descending."),
+    limit: int = Depends(get_effective_limit()),
+    offset: int = Query(0, ge=0, description="Number of items to skip before starting to collect results."),
+) -> RoleCollectionResponse:
+    """List roles with pagination and ordering."""
+    with get_application_builder():
+        return FABAuthManagerRoles.get_roles(order_by=order_by, limit=limit, offset=offset)
+
+
+@roles_router.delete(
+    "/roles/{name}",
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_404_NOT_FOUND,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("DELETE", permissions.RESOURCE_ROLE))],
+)
+def delete_role(name: str = Path(..., min_length=1)) -> None:
+    """Delete an existing role."""
+    with get_application_builder():
+        return FABAuthManagerRoles.delete_role(name=name)
+
+
+@roles_router.get(
+    "/roles/{name}",
+    responses=create_openapi_http_exception_doc(
+        [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN, status.HTTP_404_NOT_FOUND]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("GET", permissions.RESOURCE_ROLE))],
+)
+def get_role(name: str = Path(..., min_length=1)) -> RoleResponse:
+    """Get an existing role."""
+    with get_application_builder():
+        return FABAuthManagerRoles.get_role(name=name)
+
+
+@roles_router.patch(
+    "/roles/{name}",
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_400_BAD_REQUEST,
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_404_NOT_FOUND,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("PATCH", permissions.RESOURCE_ROLE))],
+)
+def patch_role(
+    body: RoleBody,
+    name: str = Path(..., min_length=1),
+    update_mask: str | None = Query(None, description="Comma-separated list of fields to update"),
+) -> RoleResponse:
+    """Update an existing role."""
+    with get_application_builder():
+        return FABAuthManagerRoles.patch_role(name=name, body=body, update_mask=update_mask)

airflow/providers/fab/auth_manager/api_fastapi/security.py

@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from fastapi import Depends, HTTPException, status
+
+from airflow.api_fastapi.app import get_auth_manager
+from airflow.api_fastapi.core_api.security import get_user
+
+
+def requires_fab_custom_view(method: str, resource_name: str):
+    def _check(user=Depends(get_user)):
+        if not get_auth_manager().is_authorized_custom_view(
+            method=method, resource_name=resource_name, user=user
+        ):
+            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden")
+
+    return _check

airflow/providers/fab/auth_manager/api_fastapi/services/login.py

@@ -16,19 +16,14 @@
 # under the License.
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, cast
+from typing import Any
 
-from flask_appbuilder.const import AUTH_LDAP
 from starlette import status
 from starlette.exceptions import HTTPException
 
-from airflow.api_fastapi.app import get_auth_manager
 from airflow.configuration import conf
-from airflow.providers.fab.auth_manager.api_fastapi.datamodels.login import LoginBody, LoginResponse
-
-if TYPE_CHECKING:
-    from airflow.providers.fab.auth_manager.fab_auth_manager import FabAuthManager
-    from airflow.providers.fab.auth_manager.models import User
+from airflow.providers.fab.auth_manager.api_fastapi.datamodels.login import LoginResponse
+from airflow.providers.fab.www.utils import get_fab_auth_manager
 
 
 class FABAuthManagerLogin:
@@ -36,25 +31,17 @@ class FABAuthManagerLogin:
 
     @classmethod
     def create_token(
-        cls, body: LoginBody, expiration_time_in_seconds: int = conf.getint("api_auth", "jwt_expiration_time")
+        cls,
+        headers: dict[str, str],
+        body: dict[str, Any],
+        expiration_time_in_seconds: int = conf.getint("api_auth", "jwt_expiration_time"),
     ) -> LoginResponse:
         """Create a new token."""
-        if not body.username or not body.password:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST, detail="Username and password must be provided"
-            )
-
-        auth_manager = cast("FabAuthManager", get_auth_manager())
-        user: User | None = None
-
-        if auth_manager.security_manager.auth_type == AUTH_LDAP:
-            user = auth_manager.security_manager.auth_user_ldap(
-                body.username, body.password, rotate_session_id=False
-            )
-        if user is None:
-            user = auth_manager.security_manager.auth_user_db(
-                body.username, body.password, rotate_session_id=False
-            )
+        auth_manager = get_fab_auth_manager()
+        try:
+            user = auth_manager.create_token(headers=headers, body=body)
+        except ValueError as e:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
 
         if not user:
             raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")

airflow/providers/fab/auth_manager/api_fastapi/services/roles.py

@@ -0,0 +1,158 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from fastapi import HTTPException, status
+from sqlalchemy import func, select
+
+from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import (
+    RoleBody,
+    RoleCollectionResponse,
+    RoleResponse,
+)
+from airflow.providers.fab.auth_manager.api_fastapi.sorting import build_ordering
+from airflow.providers.fab.auth_manager.models import Role
+from airflow.providers.fab.www.utils import get_fab_auth_manager
+
+if TYPE_CHECKING:
+    from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
+
+
+class FABAuthManagerRoles:
+    """Service layer for FAB Auth Manager role operations (create, validate, sync)."""
+
+    @staticmethod
+    def _check_action_and_resource(
+        security_manager: FabAirflowSecurityManagerOverride,
+        perms: list[tuple[str, str]],
+    ) -> None:
+        for action_name, resource_name in perms:
+            if not security_manager.get_action(action_name):
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=f"The specified action: {action_name!r} was not found",
+                )
+            if not security_manager.get_resource(resource_name):
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=f"The specified resource: {resource_name!r} was not found",
+                )
+
+    @classmethod
+    def create_role(cls, body: RoleBody) -> RoleResponse:
+        security_manager = get_fab_auth_manager().security_manager
+
+        existing = security_manager.find_role(name=body.name)
+        if existing:
+            raise HTTPException(
+                status_code=status.HTTP_409_CONFLICT,
+                detail=f"Role with name {body.name!r} already exists; please update with the PATCH endpoint",
+            )
+
+        perms: list[tuple[str, str]] = [(ar.action.name, ar.resource.name) for ar in (body.permissions or [])]
+
+        cls._check_action_and_resource(security_manager, perms)
+
+        security_manager.bulk_sync_roles([{"role": body.name, "perms": perms}])
+
+        created = security_manager.find_role(name=body.name)
+        if not created:
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Role was not created due to an unexpected error.",
+            )
+
+        return RoleResponse.model_validate(created)
+
+    @classmethod
+    def get_roles(cls, *, order_by: str, limit: int, offset: int) -> RoleCollectionResponse:
+        security_manager = get_fab_auth_manager().security_manager
+        session = security_manager.session
+
+        total_entries = session.scalars(select(func.count(Role.id))).one()
+
+        ordering = build_ordering(order_by, allowed={"name": Role.name, "role_id": Role.id})
+
+        stmt = select(Role).order_by(ordering).offset(offset).limit(limit)
+        roles = session.scalars(stmt).unique().all()
+
+        return RoleCollectionResponse(
+            roles=[RoleResponse.model_validate(r) for r in roles],
+            total_entries=total_entries,
+        )
+
+    @classmethod
+    def delete_role(cls, name: str) -> None:
+        security_manager = get_fab_auth_manager().security_manager
+
+        existing = security_manager.find_role(name=name)
+        if not existing:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"Role with name {name!r} does not exist.",
+            )
+        security_manager.delete_role(existing)
+
+    @classmethod
+    def get_role(cls, name: str) -> RoleResponse:
+        security_manager = get_fab_auth_manager().security_manager
+
+        existing = security_manager.find_role(name=name)
+        if not existing:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"Role with name {name!r} does not exist.",
+            )
+        return RoleResponse.model_validate(existing)
+
+    @classmethod
+    def patch_role(cls, body: RoleBody, name: str, update_mask: str | None = None) -> RoleResponse:
+        security_manager = get_fab_auth_manager().security_manager
+
+        existing = security_manager.find_role(name=name)
+        if not existing:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"Role with name {name!r} does not exist.",
+            )
+
+        if update_mask:
+            update_data = RoleResponse.model_validate(existing)
+
+            for field in update_mask:
+                if field == "actions":
+                    update_data.permissions = body.permissions
+                elif hasattr(body, field):
+                    setattr(update_data, field, getattr(body, field))
+                else:
+                    raise HTTPException(
+                        status_code=status.HTTP_400_BAD_REQUEST,
+                        detail=f"'{field}' in update_mask is unknown",
+                    )
+        else:
+            update_data = RoleResponse(name=body.name, permissions=body.permissions or [])
+
+        perms: list[tuple[str, str]] = [(ar.action.name, ar.resource.name) for ar in (body.permissions or [])]
+        cls._check_action_and_resource(security_manager, perms)
+        security_manager.bulk_sync_roles([{"role": name, "perms": perms}])
+
+        new_name = update_data.name
+        if new_name and new_name != existing.name:
+            security_manager.update_role(role_id=existing.id, name=new_name)
+        return RoleResponse.model_validate(update_data)

airflow/providers/fab/auth_manager/api_fastapi/sorting.py

@@ -0,0 +1,49 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from collections.abc import Mapping
+from typing import TYPE_CHECKING, Any
+
+from fastapi import HTTPException, status
+from sqlalchemy import asc, desc
+
+if TYPE_CHECKING:
+    from sqlalchemy.orm import InstrumentedAttribute
+    from sqlalchemy.sql.elements import ColumnElement
+
+
+def build_ordering(
+    order_by: str, *, allowed: Mapping[str, ColumnElement[Any]] | Mapping[str, InstrumentedAttribute[Any]]
+) -> ColumnElement[Any]:
+    """
+    Build an SQLAlchemy ORDER BY expression from the `order_by` parameter.
+
+    :param order_by: Public field name, optionally prefixed with "-" for descending.
+    :param allowed: Map of public field to SQLAlchemy column/expression.
+    """
+    is_desc = order_by.startswith("-")
+    key = order_by.lstrip("-")
+
+    if key not in allowed:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Ordering with '{order_by}' is disallowed or the attribute does not exist on the model",
+        )
+
+    col = allowed[key]
+    return desc(col) if is_desc else asc(col)

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -27,6 +27,7 @@ import packaging.version
 from connexion import FlaskApi
 from fastapi import FastAPI
 from flask import Blueprint, current_app, g
+from flask_appbuilder.const import AUTH_LDAP
 from sqlalchemy import select
 from sqlalchemy.orm import Session, joinedload
 from starlette.middleware.wsgi import WSGIMiddleware
@@ -56,8 +57,9 @@ from airflow.cli.cli_config import (
     GroupCommand,
 )
 from airflow.configuration import conf
-from airflow.exceptions import AirflowConfigException, AirflowException
+from airflow.exceptions import AirflowConfigException
 from airflow.models import Connection, DagModel, Pool, Variable
+from airflow.providers.common.compat.sdk import AirflowException
 from airflow.providers.fab.auth_manager.cli_commands.definition import (
     DB_COMMANDS,
     PERMISSIONS_CLEANUP_COMMAND,
@@ -78,6 +80,7 @@ from airflow.providers.fab.www.security import permissions
 from airflow.providers.fab.www.security.permissions import (
     ACTION_CAN_READ,
     RESOURCE_AUDIT_LOG,
+    RESOURCE_BACKFILL,
     RESOURCE_CLUSTER_ACTIVITY,
     RESOURCE_CONFIG,
     RESOURCE_CONNECTION,
@@ -105,7 +108,6 @@ from airflow.providers.fab.www.utils import (
     get_fab_action_from_method_map,
     get_method_from_fab_action_map,
 )
-from airflow.security.permissions import RESOURCE_BACKFILL
 from airflow.utils.session import NEW_SESSION, create_session, provide_session
 from airflow.utils.yaml import safe_load
 
@@ -226,6 +228,7 @@ class FabAuthManager(BaseAuthManager[User]):
         from airflow.providers.fab.auth_manager.api_fastapi.routes.login import (
             login_router,
         )
+        from airflow.providers.fab.auth_manager.api_fastapi.routes.roles import roles_router
 
         flask_app = create_app(enable_plugins=False)
 
@@ -241,6 +244,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
         # Add the login router to the FastAPI app
         app.include_router(login_router)
+        app.include_router(roles_router)
 
         app.mount("/", WSGIMiddleware(flask_app))
 
@@ -296,6 +300,32 @@ class FabAuthManager(BaseAuthManager[User]):
             or (not user.is_anonymous and user.is_active)
         )
 
+    def create_token(self, headers: dict[str, str], body: dict[str, Any]) -> User:
+        """
+        Create a new token from a payload.
+
+        By default, it uses basic authentication (username and password).
+        Override this method to use a different authentication method (e.g. oauth).
+
+        :param headers: request headers
+        :param body: request body
+        """
+        if not body.get("username") or not body.get("password"):
+            raise ValueError("Username and password must be provided")
+
+        user: User | None = None
+
+        if self.security_manager.auth_type == AUTH_LDAP:
+            user = self.security_manager.auth_user_ldap(
+                body["username"], body["password"], rotate_session_id=False
+            )
+        if user is None:
+            user = self.security_manager.auth_user_db(
+                body["username"], body["password"], rotate_session_id=False
+            )
+
+        return user
+
     def is_authorized_configuration(
         self,
         *,
@@ -567,7 +597,7 @@ class FabAuthManager(BaseAuthManager[User]):
 
     def get_url_logout(self) -> str | None:
         """Return the logout page url."""
-        return urljoin(self.apiserver_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout/")
+        return urljoin(self.apiserver_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout")
 
     def register_views(self) -> None:
         self.security_manager.register_views()

airflow/providers/fab/auth_manager/models/__init__.py

@@ -21,8 +21,6 @@ import datetime
 # This product contains a modified portion of 'Flask App Builder' developed by Daniel Vaz Gaspar.
 # (https://github.com/dpgaspar/Flask-AppBuilder).
 # Copyright 2013, Daniel Vaz Gaspar
-from typing import TYPE_CHECKING
-
 from flask import current_app, g
 from flask_appbuilder import Model
 from sqlalchemy import (
@@ -45,12 +43,6 @@ from sqlalchemy.orm import Mapped, backref, declared_attr, relationship
 from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
 from airflow.providers.common.compat.sqlalchemy.orm import mapped_column
 
-if TYPE_CHECKING:
-    try:
-        from sqlalchemy import Identity
-    except Exception:
-        Identity = None
-
 """
 Compatibility note: The models in this file are duplicated from Flask AppBuilder.
 """
@@ -157,6 +149,9 @@ class Resource(Model):
     def __eq__(self, other):
         return (isinstance(other, self.__class__)) and (self.name == other.name)
 
+    def __hash__(self):
+        return hash((self.id, self.name))
+
     def __neq__(self, other):
         return self.name != other.name
 

airflow/providers/fab/auth_manager/models/db.py

@@ -21,7 +21,7 @@ from pathlib import Path
 from flask_appbuilder import Model
 
 from airflow import settings
-from airflow.exceptions import AirflowException
+from airflow.providers.common.compat.sdk import AirflowException
 from airflow.utils.db import _offline_migration, print_happy_cat
 from airflow.utils.db_manager import BaseDBManager
 

airflow/providers/fab/auth_manager/security_manager/override.py

@@ -67,7 +67,7 @@ from sqlalchemy.orm import joinedload
 from werkzeug.security import check_password_hash, generate_password_hash
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowException
+from airflow.providers.common.compat.sdk import AirflowException
 from airflow.providers.fab.auth_manager.models import (
     Action,
     Group,
@@ -124,11 +124,17 @@ if AIRFLOW_V_3_1_PLUS:
         with create_session() as session:
             yield from DBDagBag().iter_all_latest_version_dags(session=session)
 else:
-    from airflow.models.dagbag import DagBag  # type: ignore[attr-defined, no-redef]
+    try:
+        from airflow.models.dagbag import DagBag
+    except (ImportError, AttributeError):
+        DagBag = None
 
     def _iter_dags() -> Iterable[DAG | SerializedDAG]:
-        dagbag = DagBag(read_dags_from_db=True)  # type: ignore[call-arg]
-        dagbag.collect_dags_from_db()  # type: ignore[attr-defined]
+        if DagBag is None:
+            return []
+        dagbag = DagBag(read_dags_from_db=True)
+        if hasattr(dagbag, "collect_dags_from_db"):
+            dagbag.collect_dags_from_db()
         return dagbag.dags.values()
 
 
@@ -727,6 +733,10 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """The JMESPATH role to use for user registration."""
         return current_app.config["AUTH_USER_REGISTRATION_ROLE_JMESPATH"]
 
+    @property
+    def auth_remote_user_env_var(self) -> str:
+        return current_app.config["AUTH_REMOTE_USER_ENV_VAR"]
+
     @property
     def auth_username_ci(self):
         """Get the auth username for CI."""
@@ -1039,7 +1049,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                             self.remove_permission_from_role(role, perm)
 
         # Adding the access control permissions
-        for rolename, resource_actions in access_control.items():
+        for rolename, resource_actions_raw in access_control.items():
             role = self.find_role(rolename)
             if not role:
                 raise AirflowException(
@@ -1047,9 +1057,12 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                     f"'{rolename}', but that role does not exist"
                 )
 
-            if not isinstance(resource_actions, dict):
-                # Support for old-style access_control where only the actions are specified
-                resource_actions = {permissions.RESOURCE_DAG: set(resource_actions)}
+            # Support for old-style access_control where only the actions are specified
+            resource_actions = (
+                resource_actions_raw
+                if isinstance(resource_actions_raw, dict)
+                else {permissions.RESOURCE_DAG: set(resource_actions_raw)}
+            )
 
             for resource_name, actions in resource_actions.items():
                 if resource_name not in self.RESOURCE_DETAILS_MAP:
@@ -1643,7 +1656,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             return perm
         resource = self.create_resource(resource_name)
         if resource is None:
-            log.error(const.LOGMSG_ERR_SEC_ADD_PERMVIEW, f"Resource creation failed {resource_name}")
+            log.error(const.LOGMSG_ERR_SEC_ADD_PERMVIEW, "Resource creation failed %s", resource_name)
             return None
         action = self.create_action(action_name)
         perm = self.permission_model()
@@ -2204,6 +2217,36 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         # decode - if empty string, default to fallback, otherwise take first element
         return raw_value[0].decode("utf-8") or fallback
 
+    def auth_user_remote_user(self, username):
+        """
+        REMOTE_USER user Authentication.
+
+        :param username: user's username for remote auth
+        """
+        user = self.find_user(username=username)
+
+        # User does not exist, create one if auto user registration.
+        if user is None and self.auth_user_registration:
+            user = self.add_user(
+                # All we have is REMOTE_USER, so we set
+                # the other fields to blank.
+                username=username,
+                first_name=username,
+                last_name="-",
+                email=username + "@email.notfound",
+                role=self.find_role(self.auth_user_registration_role),
+            )
+
+        # If user does not exist on the DB and not auto user registration,
+        # or user is inactive, go away.
+        elif user is None or (not user.is_active):
+            log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
+            return None
+
+        self._rotate_session_id()
+        self.update_user_auth_stat(user)
+        return user
+
     """
     ---------------
     Private methods