Re: [PR] Move methods used only in FAB from security managers to auth manager [airflow]

Wed, 01 Nov 2023 07:31:46 -0700 


ephraimbuddy commented on code in PR #35203:
URL: https://github.com/apache/airflow/pull/35203#discussion_r1378870349


##########
airflow/auth/managers/fab/security_manager/override.py:
##########
@@ -760,6 +764,171 @@ def can_access_some_dags(self, action: str, dag_id: str | 
None = None) -> bool:
             return any(self.get_readable_dag_ids(user))
         return any(self.get_editable_dag_ids(user))
 
+    def get_all_permissions(self) -> set[tuple[str, str]]:
+        """Return all permissions as a set of tuples with the action and 
resource names."""
+        return set(
+            self.appbuilder.get_session.execute(
+                select(self.action_model.name, self.resource_model.name)
+                .join(self.permission_model.action)
+                .join(self.permission_model.resource)
+            )
+        )
+
+    def create_dag_specific_permissions(self) -> None:
+        """
+        Add permissions to all DAGs.
+
+        Creates 'can_read', 'can_edit', and 'can_delete' permissions for all
+        DAGs, along with any `access_control` permissions provided in them.
+
+        This does iterate through ALL the DAGs, which can be slow. See 
`sync_perm_for_dag`
+        if you only need to sync a single DAG.
+
+        :return: None.
+        """
+        perms = self.get_all_permissions()
+        dagbag = DagBag(read_dags_from_db=True)
+        dagbag.collect_dags_from_db()
+        dags = dagbag.dags.values()
+
+        for dag in dags:
+            root_dag_id = dag.parent_dag.dag_id if dag.parent_dag else 
dag.dag_id
+            dag_resource_name = permissions.resource_name_for_dag(root_dag_id)
+            for action_name in self.DAG_ACTIONS:
+                if (action_name, dag_resource_name) not in perms:
+                    self._merge_perm(action_name, dag_resource_name)
+
+            if dag.access_control is not None:
+                self.sync_perm_for_dag(dag_resource_name, dag.access_control)
+
+    def sync_roles(self) -> None:
+        """
+        Initialize default and custom roles with related permissions.
+
+        1. Init the default role(Admin, Viewer, User, Op, public)
+           with related permissions.
+        2. Init the custom role(dag-user) with related permissions.
+
+        :return: None.

Review Comment:
   ```suggestion
   ```
   We should remove this return in other places too since the method is typed



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to