hterik commented on issue #34718: URL: https://github.com/apache/airflow/issues/34718#issuecomment-1768267614
Thanks a lot @troxil, this solution is a good step in the right direction. I've found a few rough edges though. 1. This should be documented on https://airflow.apache.org/docs/apache-airflow/2.7.1/security/access-control.html There is some info on https://airflow.apache.org/docs/apache-airflow/2.7.1/security/webserver.html#web-authentication, i think the first page should link to the second at least. 2. *Removing* permissions from `ROLE_CONFIG` does not sync to the database. `AirflowSecurityManager.bulk_sync_roles` only *creates* missing permissions, it does not remove excessive permissions that no longer exist in `ROLE_CONFIG`. 3. Modifying the default `USER_PERMISSION` when inheriting `AirflowSecurityManager` is not possible by just modifying the array, because the `ROLE_CONFIGS` is created in the class constructor. Only solution was copying or mutating the entire `ROLE_CONFIG` after it has been populated with `USER_PERMISSION` etc. I came up with the solution below to solve it. Example: ```py RolePermission = tuple[str, str] def mutate_role_configs(original_role_configs: list[dict[str, str | list[RolePermission]]], rolename: str, *, adds: list[RolePermission], removes: list[RolePermission]): new_role_configs = copy.deepcopy(original_role_configs) for rc in new_role_configs: if rc["role"] != rolename: continue for r in removes: rc["perms"].remove(r) rc["perms"].extend(adds) return new_role_configs raise Exception(f"Did not find role matching name {rolename}") class MySecurityManager(AirflowSecurityManager): # USER_CONFIG = ..... can not be set because ROLE_CONFIGS in parent class already created ROLE_CONFIGS = mutate_role_configs(AirflowSecurityManager.ROLE_CONFIGS, "User", adds=[], removes=[ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_DAG) ]) SECURITY_MANAGER_CLASS = MySecurityManager ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org