vincbeck commented on PR #34924: URL: https://github.com/apache/airflow/pull/34924#issuecomment-1768733409
Multiple answers here :) > I think we should make it explicit in docs that those authentication backends for the API are available only when FAB auth manager is used. Likely we should also rename/depreceate the configuration option and make it more of "fab_authentication_manage" option - to configure the backends. This should become a configuration option of "FAB" one effectively which backend is used. I agree. But this one depends on whether we want to move this FAB auth manager to a separate provider. If so, then the configuration will be moved to the provider configuration (nice feature you needed :)). If not, then, as you said, we'll just have to rename these configurations. There is an issue for this one: #32210. > > There are two things to add (and all this might be part of separate PR I just wanted to make sure that we think about it). > > * I understand, that in case of the Auth Manager, it will be possible to implement the authentication for API as part of the auth manager and Auth Manager will handle API authentication ? If so, I think we need to describe it. The authentication for the AIP has not changed. The authentication check is still on [here](https://github.com/apache/airflow/blob/main/airflow/api_connexion/security.py#L45). The only difference being, in case of an auth manager different from FAB, `get_airflow_app().api_auth` will always return the session auth because the others belong to the FAB auth manager (unless the auth manager provide additional ways). I am not sure I replied to your question tho :) > * In case of UI - it uses API calls using "session" backend and, it should be somewhat independent of the Auth Manager backend - so basically all API calls that have a valid flask session, should be allowed always (this is what has been added at some point in time I believe that we automatically add "session" backend when we did not add it explicitly in the backend configuration, so I think we need to figure out how to approach it for Auth Managers. I guess by UI you refer to the React UI (not the model views auto generated by FAB, these ones do not use APIs). The way I see it and is done, for UI and API, when the backend received a request, it checks if the user is logged in using `is_logged_in` API. Are you saying that we should decorelate UI and API and have a different mechanism? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
