Re: [I] Config-as-code for roles and access controls [airflow]

[via GitHub]

hterik commented on issue #34718:
URL: https://github.com/apache/airflow/issues/34718#issuecomment-1768267614

   Thanks a lot @troxil, this solution is a good step in the right direction.
   I've found a few rough edges though.
   
   1. This should be documented on 
https://airflow.apache.org/docs/apache-airflow/2.7.1/security/access-control.html
 
       There is some info on 
https://airflow.apache.org/docs/apache-airflow/2.7.1/security/webserver.html#web-authentication,
 i think the first page should link to the second at least.
   
   2. *Removing* permissions from `ROLE_CONFIG` does  not sync to the database. 
`AirflowSecurityManager.bulk_sync_roles` only *creates* missing permissions, it 
does not remove excessive permissions that no longer exist in `ROLE_CONFIG`.
   
   3. Modifying the default `USER_PERMISSION` when inheriting 
`AirflowSecurityManager` is not possible by just modifying the array, because 
the `ROLE_CONFIGS` is created in the class constructor. Only solution was 
copying or mutating the entire `ROLE_CONFIG` after it has been populated with 
`USER_PERMISSION` etc. 
       I came up with the solution below to solve it.
   
   Example:
   ```py
   RolePermission = tuple[str, str]
   
   def mutate_role_configs(original_role_configs: list[dict[str, str | 
list[RolePermission]]],
                           rolename: str,
                           *,
                           adds: list[RolePermission],
                           removes: list[RolePermission]):
       new_role_configs = copy.deepcopy(original_role_configs)
   
       for rc in new_role_configs:
           if rc["role"] != rolename:
               continue
           for r in removes:
               rc["perms"].remove(r)
           rc["perms"].extend(adds)
           return new_role_configs
   
       raise Exception(f"Did not find role matching name {rolename}")
   
   
   class MySecurityManager(AirflowSecurityManager):
       # USER_CONFIG = ..... can not be set because ROLE_CONFIGS in parent 
class already created 
   
       ROLE_CONFIGS = mutate_role_configs(AirflowSecurityManager.ROLE_CONFIGS,
                                          "User",
                                          adds=[],
                                          removes=[
                                              (permissions.ACTION_CAN_DELETE, 
permissions.RESOURCE_DAG)
                                          ])
   
   
   SECURITY_MANAGER_CLASS = MySecurityManager
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org