pierrejeambrun commented on code in PR #48417:
URL: https://github.com/apache/airflow/pull/48417#discussion_r2017032997
##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -147,6 +129,29 @@ These authorization methods are:
* ``is_authorized_view``: Return whether the user is authorized to access a
specific view in Airflow. The view is specified through ``access_view`` (e.g.
``AccessView.CLUSTER_ACTIVITY``).
* ``is_authorized_custom_view``: Return whether the user is authorized to
access a specific view not defined in Airflow. This view can be provided by the
auth manager itself or a plugin defined by the user.
+JWT token management by auth managers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The auth manager is responsible of creating the JWT token needed to interact
with Airflow public API.
Review Comment:
Nit
```suggestion
The auth manager is responsible for creating the JWT token needed to
interact with Airflow public API.
```
##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -147,6 +129,29 @@ These authorization methods are:
* ``is_authorized_view``: Return whether the user is authorized to access a
specific view in Airflow. The view is specified through ``access_view`` (e.g.
``AccessView.CLUSTER_ACTIVITY``).
* ``is_authorized_custom_view``: Return whether the user is authorized to
access a specific view not defined in Airflow. This view can be provided by the
auth manager itself or a plugin defined by the user.
+JWT token management by auth managers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The auth manager is responsible of creating the JWT token needed to interact
with Airflow public API.
+To achieve this, the auth manager **must** provide an endpoint to create this
JWT token. This endpoint must be
+available at ``POST /auth/token``
+
+The auth manager is also responsible of passing the JWT token to Airflow UI.
The protocol to exchange the JWT
+token between the auth manager and Airflow UI is using cookies. The auth
manager needs to save the JWT token in a
+cookie named ``_token`` before redirecting to the Airflow UI. The Airflow UI
will then read the cookie, save it and
+delete the cookie.
+
+.. code-block:: python
+
+ from airflow.api_fastapi.auth.managers.base_auth_manager import
COOKIE_NAME_JWT_TOKEN
+
+ response = RedirectResponse(url="/")
+ response.set_cookie(COOKIE_NAME_JWT_TOKEN, token, secure=True)
+ return response
+
+.. note::
+ Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs
to access the JWT token from the cookie.
Review Comment:
We need a second note for `secure`. I updated it for FAB but not for others
yet, I'll open a PR for that, but basically it depends if your running TLS or
not in your cluster.
```python
secure = bool(conf.get("api", "ssl_cert"))
response.set_cookie(COOKIE_NAME_JWT_TOKEN, token, secure=secure)
```
##########
docs/conf.py:
##########
@@ -906,7 +906,6 @@ def filter_ignore(record: logging.LogRecord) -> bool:
"spec": OPENAPI_FILE.as_posix(),
"opts": {
"hide-hostname": True,
- "no-auto-auth": True,
Review Comment:
This change looks unrelated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
