apache-airflow-providers-fab 3.1.1rc1__py3-none-any.whl → 3.2.0rc1__py3-none-any.whl

airflow/providers/fab/auth_manager/api_fastapi/routes/users.py

@@ -0,0 +1,133 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from fastapi import Depends, Path, Query, status
+
+from airflow.api_fastapi.common.router import AirflowRouter
+from airflow.api_fastapi.core_api.openapi.exceptions import create_openapi_http_exception_doc
+from airflow.providers.fab.auth_manager.api_fastapi.datamodels.users import (
+    UserBody,
+    UserCollectionResponse,
+    UserPatchBody,
+    UserResponse,
+)
+from airflow.providers.fab.auth_manager.api_fastapi.parameters import get_effective_limit
+from airflow.providers.fab.auth_manager.api_fastapi.security import requires_fab_custom_view
+from airflow.providers.fab.auth_manager.api_fastapi.services.users import FABAuthManagerUsers
+from airflow.providers.fab.auth_manager.cli_commands.utils import get_application_builder
+from airflow.providers.fab.www.security import permissions
+
+users_router = AirflowRouter(prefix="/fab/v1", tags=["FabAuthManager"])
+
+
+@users_router.post(
+    "/users",
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_400_BAD_REQUEST,
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_409_CONFLICT,
+            status.HTTP_500_INTERNAL_SERVER_ERROR,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("POST", permissions.RESOURCE_USER))],
+)
+def create_user(body: UserBody) -> UserResponse:
+    with get_application_builder():
+        return FABAuthManagerUsers.create_user(body=body)
+
+
+@users_router.get(
+    "/users",
+    response_model=UserCollectionResponse,
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_400_BAD_REQUEST,
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("GET", permissions.RESOURCE_USER))],
+)
+def get_users(
+    order_by: str = Query("id", description="Field to order by. Prefix with '-' for descending."),
+    limit: int = Depends(get_effective_limit()),
+    offset: int = Query(0, ge=0, description="Number of items to skip before starting to collect results."),
+) -> UserCollectionResponse:
+    """List users with pagination and ordering."""
+    with get_application_builder():
+        return FABAuthManagerUsers.get_users(order_by=order_by, limit=limit, offset=offset)
+
+
+@users_router.get(
+    "/users/{username}",
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_404_NOT_FOUND,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("GET", permissions.RESOURCE_USER))],
+)
+def get_user(username: str = Path(..., min_length=1)) -> UserResponse:
+    """Get a user by username."""
+    with get_application_builder():
+        return FABAuthManagerUsers.get_user(username=username)
+
+
+@users_router.patch(
+    "/users/{username}",
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_400_BAD_REQUEST,
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_404_NOT_FOUND,
+            status.HTTP_409_CONFLICT,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("PUT", permissions.RESOURCE_USER))],
+)
+def update_user(
+    body: UserPatchBody,
+    username: str = Path(..., min_length=1),
+    update_mask: str | None = Query(None, description="Comma-separated list of fields to update"),
+) -> UserResponse:
+    """Update an existing user."""
+    with get_application_builder():
+        return FABAuthManagerUsers.update_user(username=username, body=body, update_mask=update_mask)
+
+
+@users_router.delete(
+    "/users/{username}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    responses=create_openapi_http_exception_doc(
+        [
+            status.HTTP_401_UNAUTHORIZED,
+            status.HTTP_403_FORBIDDEN,
+            status.HTTP_404_NOT_FOUND,
+        ]
+    ),
+    dependencies=[Depends(requires_fab_custom_view("DELETE", permissions.RESOURCE_USER))],
+)
+def delete_user(username: str = Path(..., min_length=1)):
+    """Delete a user by username."""
+    with get_application_builder():
+        FABAuthManagerUsers.delete_user(username=username)

airflow/providers/fab/auth_manager/api_fastapi/services/login.py

@@ -18,8 +18,7 @@ from __future__ import annotations
 
 from typing import Any
 
-from starlette import status
-from starlette.exceptions import HTTPException
+from fastapi import HTTPException, status
 
 from airflow.configuration import conf
 from airflow.providers.fab.auth_manager.api_fastapi.datamodels.login import LoginResponse

airflow/providers/fab/auth_manager/api_fastapi/services/users.py

@@ -0,0 +1,219 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from fastapi import HTTPException, status
+from sqlalchemy import func, select
+from werkzeug.security import generate_password_hash
+
+from airflow.providers.fab.auth_manager.api_fastapi.datamodels.roles import Role
+from airflow.providers.fab.auth_manager.api_fastapi.datamodels.users import (
+    UserBody,
+    UserCollectionResponse,
+    UserPatchBody,
+    UserResponse,
+)
+from airflow.providers.fab.auth_manager.api_fastapi.sorting import build_ordering
+from airflow.providers.fab.auth_manager.models import User
+from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
+from airflow.providers.fab.www.utils import get_fab_auth_manager
+
+
+class FABAuthManagerUsers:
+    """Service layer for FAB Auth Manager user operations."""
+
+    @staticmethod
+    def _resolve_roles(
+        sm: FabAirflowSecurityManagerOverride, role_refs: list[Role] | None
+    ) -> tuple[list, list[str]]:
+        seen = set()
+        roles: list = []
+        missing: list[str] = []
+        for r in role_refs or []:
+            if r.name in seen:
+                continue
+            seen.add(r.name)
+            role = sm.find_role(r.name)
+            (roles if role else missing).append(role or r.name)
+        return roles, missing
+
+    @classmethod
+    def get_user(cls, username: str) -> UserResponse:
+        """Get a user by username."""
+        security_manager = get_fab_auth_manager().security_manager
+        user = security_manager.find_user(username=username)
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"The User with username `{username}` was not found",
+            )
+        return UserResponse.model_validate(user)
+
+    @classmethod
+    def get_users(cls, *, order_by: str, limit: int, offset: int) -> UserCollectionResponse:
+        """Get users with pagination and ordering."""
+        security_manager = get_fab_auth_manager().security_manager
+        session = security_manager.session
+
+        total_entries = session.scalars(select(func.count(User.id))).one()
+
+        ordering = build_ordering(
+            order_by,
+            allowed={
+                "id": User.id,
+                "user_id": User.id,
+                "first_name": User.first_name,
+                "last_name": User.last_name,
+                "username": User.username,
+                "email": User.email,
+                "active": User.active,
+            },
+        )
+
+        stmt = select(User).order_by(ordering).offset(offset).limit(limit)
+        users = session.scalars(stmt).unique().all()
+
+        return UserCollectionResponse(
+            users=[UserResponse.model_validate(u) for u in users],
+            total_entries=total_entries,
+        )
+
+    @classmethod
+    def create_user(cls, body: UserBody) -> UserResponse:
+        security_manager = get_fab_auth_manager().security_manager
+
+        existing_username = security_manager.find_user(username=body.username)
+        if existing_username:
+            raise HTTPException(
+                status_code=status.HTTP_409_CONFLICT,
+                detail=f"Username `{body.username}` already exists. Use PATCH to update.",
+            )
+        existing_email = security_manager.find_user(email=body.email)
+        if existing_email:
+            raise HTTPException(
+                status_code=status.HTTP_409_CONFLICT,
+                detail=f"The email `{body.email}` is already taken.",
+            )
+
+        roles_to_add, missing_role_names = cls._resolve_roles(security_manager, body.roles)
+        if missing_role_names:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=f"Unknown roles: {', '.join(repr(n) for n in missing_role_names)}",
+            )
+        if not roles_to_add:
+            default_role = security_manager.find_role(security_manager.auth_user_registration_role)
+            if default_role is None:
+                raise HTTPException(
+                    status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                    detail="Default registration role is not configured or not found.",
+                )
+            roles_to_add.append(default_role)
+
+        created = security_manager.add_user(
+            username=body.username,
+            email=body.email,
+            first_name=body.first_name,
+            last_name=body.last_name,
+            role=roles_to_add,
+            password=body.password.get_secret_value(),
+        )
+        if not created:
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail=f"Failed to add user `{body.username}`",
+            )
+        return UserResponse.model_validate(created)
+
+    @classmethod
+    def update_user(cls, username: str, body: UserPatchBody, update_mask: str | None = None) -> UserResponse:
+        """Update an existing user."""
+        security_manager = get_fab_auth_manager().security_manager
+
+        user = security_manager.find_user(username=username)
+        if user is None:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"The User with username `{username}` was not found",
+            )
+
+        if body.username is not None and body.username != username:
+            if security_manager.find_user(username=body.username):
+                raise HTTPException(
+                    status_code=status.HTTP_409_CONFLICT,
+                    detail=f"The username `{body.username}` already exists",
+                )
+
+        if body.email is not None and body.email != user.email:
+            if security_manager.find_user(email=body.email):
+                raise HTTPException(
+                    status_code=status.HTTP_409_CONFLICT,
+                    detail=f"The email `{body.email}` already exists",
+                )
+
+        all_fields = {"username", "email", "first_name", "last_name", "roles", "password"}
+
+        if update_mask is not None:
+            fields_to_update = {f.strip() for f in update_mask.split(",") if f.strip()}
+            invalid_fields = fields_to_update - all_fields
+            if invalid_fields:
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=f"Unknown update masks: {', '.join(repr(f) for f in invalid_fields)}",
+                )
+        else:
+            fields_to_update = all_fields
+
+        if "roles" in fields_to_update and body.roles is not None:
+            roles_to_update, missing_role_names = cls._resolve_roles(security_manager, body.roles)
+            if missing_role_names:
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=f"Unknown roles: {', '.join(repr(n) for n in missing_role_names)}",
+                )
+            user.roles = roles_to_update
+
+        if "password" in fields_to_update and body.password is not None:
+            user.password = generate_password_hash(body.password.get_secret_value())
+
+        if "username" in fields_to_update and body.username is not None:
+            user.username = body.username
+        if "email" in fields_to_update and body.email is not None:
+            user.email = body.email
+        if "first_name" in fields_to_update and body.first_name is not None:
+            user.first_name = body.first_name
+        if "last_name" in fields_to_update and body.last_name is not None:
+            user.last_name = body.last_name
+
+        security_manager.update_user(user)
+        return UserResponse.model_validate(user)
+
+    @classmethod
+    def delete_user(cls, username: str) -> None:
+        """Delete a user by username."""
+        security_manager = get_fab_auth_manager().security_manager
+
+        user = security_manager.find_user(username=username)
+        if user is None:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"The User with username `{username}` was not found",
+            )
+
+        user.roles = []
+        security_manager.session.delete(user)
+        security_manager.session.commit()

airflow/providers/fab/auth_manager/cli_commands/db_command.py

@@ -46,5 +46,5 @@ def migratedb(args):
 def downgrade(args):
     """Downgrades the metadata database."""
     session = settings.Session()
-    dwongrade_command = FABDBManager(session).downgrade
-    run_db_downgrade_command(args, dwongrade_command, revision_heads_map=_REVISION_HEADS_MAP)
+    downgrade_command = FABDBManager(session).downgrade
+    run_db_downgrade_command(args, downgrade_command, revision_heads_map=_REVISION_HEADS_MAP)

airflow/providers/fab/auth_manager/cli_commands/user_command.py

@@ -73,7 +73,7 @@ def users_create(args):
             raise SystemExit(f"{args.role} is not a valid role. Valid roles are: {valid_roles}")
         password = _create_password(args)
         if appbuilder.sm.find_user(args.username):
-            print(f"{args.username} already exist in the db")
+            print(f"{args.username} already exists in the db")
             return
         user = appbuilder.sm.add_user(
             args.username, args.firstname, args.lastname, args.email, role, password
@@ -101,7 +101,7 @@ def _find_user(args):
 @cli_utils.action_cli
 @providers_configuration_loaded
 def user_reset_password(args):
-    """Reset user password user from DB."""
+    """Reset user password from DB."""
     user = _find_user(args)
     password = _create_password(args)
     with get_application_builder() as appbuilder:
@@ -143,7 +143,7 @@ def users_delete(args):
 @cli_utils.action_cli
 @providers_configuration_loaded
 def users_manage_role(args, remove=False):
-    """Delete or appends user roles."""
+    """Delete or append user roles."""
     with get_application_builder() as appbuilder:
         user = _find_user(args)
         role = appbuilder.sm.find_role(args.role)

airflow/providers/fab/auth_manager/fab_auth_manager.py

@@ -17,22 +17,20 @@
 # under the License.
 from __future__ import annotations
 
-import argparse
 from functools import cached_property
 from pathlib import Path
 from typing import TYPE_CHECKING, Any
 from urllib.parse import urljoin
 
-import packaging.version
+from cachetools import TTLCache, cachedmethod
 from connexion import FlaskApi
 from fastapi import FastAPI
+from fastapi.middleware.wsgi import WSGIMiddleware
 from flask import Blueprint, current_app, g
 from flask_appbuilder.const import AUTH_LDAP
 from sqlalchemy import select
 from sqlalchemy.orm import Session, joinedload
-from starlette.middleware.wsgi import WSGIMiddleware
 
-from airflow import __version__ as airflow_version
 from airflow.api_fastapi.app import AUTH_MANAGER_FASTAPI_APP_PREFIX
 from airflow.api_fastapi.auth.managers.base_auth_manager import BaseAuthManager
 
@@ -52,21 +50,10 @@ from airflow.api_fastapi.auth.managers.models.resource_details import (
     VariableDetails,
 )
 from airflow.api_fastapi.common.types import ExtraMenuItem, MenuItem
-from airflow.cli.cli_config import (
-    DefaultHelpParser,
-    GroupCommand,
-)
 from airflow.configuration import conf
 from airflow.exceptions import AirflowConfigException
 from airflow.models import Connection, DagModel, Pool, Variable
 from airflow.providers.common.compat.sdk import AirflowException
-from airflow.providers.fab.auth_manager.cli_commands.definition import (
-    DB_COMMANDS,
-    PERMISSIONS_CLEANUP_COMMAND,
-    ROLES_COMMANDS,
-    SYNC_PERM_COMMAND,
-    USERS_COMMANDS,
-)
 from airflow.providers.fab.auth_manager.models import Permission, Role, User
 from airflow.providers.fab.auth_manager.models.anonymous_user import AnonymousUser
 from airflow.providers.fab.version_compat import AIRFLOW_V_3_1_PLUS
@@ -108,7 +95,7 @@ from airflow.providers.fab.www.utils import (
     get_fab_action_from_method_map,
     get_method_from_fab_action_map,
 )
-from airflow.utils.session import NEW_SESSION, create_session, provide_session
+from airflow.utils.session import NEW_SESSION, provide_session
 from airflow.utils.yaml import safe_load
 
 if TYPE_CHECKING:
@@ -175,6 +162,7 @@ _MAP_MENU_ITEM_TO_FAB_RESOURCE_TYPE = {
     MenuItem.XCOMS: RESOURCE_XCOM,
 }
 
+CACHE_TTL = conf.getint("fab", "cache_ttl", fallback=30)
 
 if AIRFLOW_V_3_1_PLUS:
     from airflow.providers.fab.www.security.permissions import RESOURCE_HITL_DETAIL
@@ -190,6 +178,7 @@ class FabAuthManager(BaseAuthManager[User]):
     This auth manager is responsible for providing a backward compatible user management experience to users.
     """
 
+    cache: TTLCache = TTLCache(maxsize=1024, ttl=CACHE_TTL)
     appbuilder: AirflowAppBuilder | None = None
 
     def init_flask_resources(self) -> None:
@@ -202,26 +191,9 @@ class FabAuthManager(BaseAuthManager[User]):
     @staticmethod
     def get_cli_commands() -> list[CLICommand]:
         """Vends CLI commands to be included in Airflow CLI."""
-        commands: list[CLICommand] = [
-            GroupCommand(
-                name="users",
-                help="Manage users",
-                subcommands=USERS_COMMANDS,
-            ),
-            GroupCommand(
-                name="roles",
-                help="Manage roles",
-                subcommands=ROLES_COMMANDS,
-            ),
-            SYNC_PERM_COMMAND,  # not in a command group
-            PERMISSIONS_CLEANUP_COMMAND,  # single command for permissions cleanup
-        ]
-        # If Airflow version is 3.0.0 or higher, add the fab-db command group
-        if packaging.version.parse(
-            packaging.version.parse(airflow_version).base_version
-        ) >= packaging.version.parse("3.0.0"):
-            commands.append(GroupCommand(name="fab-db", help="Manage FAB", subcommands=DB_COMMANDS))
-        return commands
+        from airflow.providers.fab.cli.definition import get_fab_cli_commands
+
+        return get_fab_cli_commands()
 
     def get_fastapi_app(self) -> FastAPI | None:
         """Get the FastAPI app."""
@@ -229,6 +201,7 @@ class FabAuthManager(BaseAuthManager[User]):
             login_router,
         )
         from airflow.providers.fab.auth_manager.api_fastapi.routes.roles import roles_router
+        from airflow.providers.fab.auth_manager.api_fastapi.routes.users import users_router
 
         flask_app = create_app(enable_plugins=False)
 
@@ -245,6 +218,7 @@ class FabAuthManager(BaseAuthManager[User]):
         # Add the login router to the FastAPI app
         app.include_router(login_router)
         app.include_router(roles_router)
+        app.include_router(users_router)
 
         app.mount("/", WSGIMiddleware(flask_app))
 
@@ -284,9 +258,13 @@ class FabAuthManager(BaseAuthManager[User]):
 
         return current_user
 
+    @property
+    def session(self):
+        return self.appbuilder.session
+
+    @cachedmethod(lambda self: self.cache, key=lambda _, token: int(token["sub"]))
     def deserialize_user(self, token: dict[str, Any]) -> User:
-        with create_session() as session:
-            return session.scalars(select(User).where(User.id == int(token["sub"]))).one()
+        return self.session.scalars(select(User).where(User.id == int(token["sub"]))).one()
 
     def serialize_user(self, user: User) -> dict[str, Any]:
         return {"sub": str(user.id)}
@@ -294,13 +272,13 @@ class FabAuthManager(BaseAuthManager[User]):
     def is_logged_in(self) -> bool:
         """Return whether the user is logged in."""
         user = self.get_user()
-        return (
+        return bool(
             self.appbuilder
             and self.appbuilder.app.config.get("AUTH_ROLE_PUBLIC", None)
             or (not user.is_anonymous and user.is_active)
         )
 
-    def create_token(self, headers: dict[str, str], body: dict[str, Any]) -> User:
+    def create_token(self, headers: dict[str, str], body: dict[str, Any]) -> User | None:
         """
         Create a new token from a payload.
 
@@ -760,14 +738,3 @@ class FabAuthManager(BaseAuthManager[User]):
         # delete the old ones.
         if conf.getboolean("fab", "UPDATE_FAB_PERMS"):
             self.security_manager.sync_roles()
-
-
-def get_parser() -> argparse.ArgumentParser:
-    """Generate documentation; used by Sphinx argparse."""
-    from airflow.cli.cli_parser import AirflowHelpFormatter, _add_command
-
-    parser = DefaultHelpParser(prog="airflow", formatter_class=AirflowHelpFormatter)
-    subparsers = parser.add_subparsers(dest="subcommand", metavar="GROUP_OR_COMMAND")
-    for group_command in FabAuthManager.get_cli_commands():
-        _add_command(subparsers, group_command)
-    return parser

airflow/providers/fab/auth_manager/models/__init__.py

@@ -235,14 +235,14 @@ class User(Model, BaseUser):
         Sequence("ab_user_id_seq", start=1, increment=1, minvalue=1, cycle=False),
         primary_key=True,
     )
-    first_name: Mapped[str] = mapped_column(String(64), nullable=False)
-    last_name: Mapped[str] = mapped_column(String(64), nullable=False)
+    first_name: Mapped[str] = mapped_column(String(256), nullable=False)
+    last_name: Mapped[str] = mapped_column(String(256), nullable=False)
     username: Mapped[str] = mapped_column(
         String(512).with_variant(String(512, collation="NOCASE"), "sqlite"), unique=True, nullable=False
     )
     password: Mapped[str | None] = mapped_column(String(256))
     active: Mapped[bool | None] = mapped_column(Boolean, default=True)
-    email: Mapped[str] = mapped_column(String(320), unique=True, nullable=False)
+    email: Mapped[str] = mapped_column(String(512), unique=True, nullable=False)
     last_login: Mapped[datetime.datetime | None] = mapped_column(DateTime, nullable=True)
     login_count: Mapped[int | None] = mapped_column(Integer, nullable=True)
     fail_login_count: Mapped[int | None] = mapped_column(Integer, nullable=True)
@@ -349,13 +349,13 @@ class RegisterUser(Model):
         Sequence("ab_register_user_id_seq", start=1, increment=1, minvalue=1, cycle=False),
         primary_key=True,
     )
-    first_name: Mapped[str] = mapped_column(String(64), nullable=False)
-    last_name: Mapped[str] = mapped_column(String(64), nullable=False)
+    first_name: Mapped[str] = mapped_column(String(256), nullable=False)
+    last_name: Mapped[str] = mapped_column(String(256), nullable=False)
     username: Mapped[str] = mapped_column(
         String(512).with_variant(String(512, collation="NOCASE"), "sqlite"), unique=True, nullable=False
     )
     password: Mapped[str | None] = mapped_column(String(256))
-    email: Mapped[str] = mapped_column(String(320), unique=True, nullable=False)
+    email: Mapped[str] = mapped_column(String(512), unique=True, nullable=False)
     registration_date: Mapped[datetime.datetime | None] = mapped_column(
         DateTime, default=lambda: datetime.datetime.now(), nullable=True
     )