jedcunningham commented on code in PR #34349:
URL: https://github.com/apache/airflow/pull/34349#discussion_r1348918078
##########
airflow/auth/managers/base_auth_manager.py:
##########
@@ -50,6 +50,10 @@ def get_cli_commands() -> list[CLICommand]:
"""
return []
+ def get_api_blueprint(self) -> None | Blueprint:
Review Comment:
We had a chat about this and we've decided to carry on letting blueprints
(and eventually menu items) come directly from the auth manager. It's slightly
cleaner to just let the auth manager expose it directly, plus we avoid the
oddities of plugins.
##########
airflow/api_connexion/endpoints/forward_to_fab_endpoint.py:
##########
@@ -0,0 +1,126 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+import warnings
+from typing import TYPE_CHECKING
+
+from airflow.api_connexion.exceptions import BadRequest
+from airflow.auth.managers.fab.api_endpoints import
role_and_permission_endpoint, user_endpoint
+from airflow.www.extensions.init_auth_manager import get_auth_manager
+
+if TYPE_CHECKING:
+ from typing import Callable
+
+ from airflow.api_connexion.types import APIResponse
+
+
+def _require_fab(func: Callable) -> Callable:
+ """
+ Raise an HTTP error 400 if the provider is not FAB.
Review Comment:
```suggestion
Raise an HTTP error 400 if the auth manager is not FAB.
```
##########
airflow/www/extensions/init_views.py:
##########
@@ -308,5 +318,16 @@ def init_api_experimental(app):
"The authenticated user has full access.",
RemovedInAirflow3Warning,
)
+ base_paths.append("/api/experimental")
app.register_blueprint(endpoints.api_experimental,
url_prefix="/api/experimental")
app.extensions["csrf"].exempt(endpoints.api_experimental)
+
+
+def init_api_auth_provider(app):
+ """Initialize the API offered by the auth manager."""
+ auth_mgr = get_auth_manager()
+ blueprint = auth_mgr.get_api_blueprint()
+ if blueprint is not None:
+ base_paths.append(blueprint.url_prefix)
+ app.register_blueprint(blueprint)
+ app.extensions["csrf"].exempt(blueprint)
Review Comment:
Hmm, this doesn't seem right to me. Surely we want csrf protection?
##########
airflow/auth/managers/fab/openapi/v1.yaml:
##########
@@ -0,0 +1,712 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+openapi: 3.0.3
+
+info:
+ title: "Flask App Builder User & Role API"
+
+ version: '1.0.0'
+ license:
+ name: Apache 2.0
+ url: http://www.apache.org/licenses/LICENSE-2.0.html
+ contact:
+ name: Apache Software Foundation
+ url: https://airflow.apache.org
+ email: d...@airflow.apache.org
+
+paths:
+ /roles:
+ get:
+ summary: List roles
+ description: |
+ Get a list of roles.
+
+ *New in version 2.1.0*
Review Comment:
Should this be 2.8?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
