Re: [PR] Create HITL specific permission for core-API [airflow]

Sat, 02 Aug 2025 20:06:52 -0700 


sjyangkevin commented on code in PR #54043:
URL: https://github.com/apache/airflow/pull/54043#discussion_r2249501666


##########
providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py:
##########
@@ -340,14 +342,30 @@ def is_authorized_dag(
             method=dag_method, details=details, user=user
         ):
             return False
-
+        
+        # return all(
+        #     (
+        #         self._is_authorized(method=method, 
resource_type=resource_type, user=user)
+        #         if resource_type != RESOURCE_DAG_RUN or not 
hasattr(permissions, "resource_name")
+        #         else self._is_authorized_dag_run(method=method, 
details=details, user=user)
+        #     )
+        #     for resource_type in resource_types
+        # )
+
+        # if Airflow version is less than 3.1.0 and the resource type is 
RESOURCE_HITL_DETAIL, skip.
         return all(
             (
-                self._is_authorized(method=method, 
resource_type=resource_type, user=user)
-                if resource_type != RESOURCE_DAG_RUN or not 
hasattr(permissions, "resource_name")
-                else self._is_authorized_dag_run(method=method, 
details=details, user=user)
-            )
-            for resource_type in resource_types
+                True
+                if (
+                    resource_type == RESOURCE_HITL_DETAIL
+                    and 
packaging.version.parse(packaging.version.parse(airflow_version).base_version) 
< packaging.version.parse("3.1.0")

Review Comment:
   I want to ask a follow up question regarding making it for 3.1.0 only. I 
follow the approach to create a `DagAccessEntity.HITL_DETAIL` and reuse the 
existing `requires_access_dag` that invokes the `is_authorized_dag`. Then, I 
created a `resource_type` called `RESOURCE_HITL_DETAIL` which can be used to 
configure user's access to HITL endpoints.
   
   If the access control for this new permission is only available in 3.1.0, 
should we only make the definitions of the resource type or the DAG access 
entity available only in 3.1.0? Or the definitions of these can exist for all 
versions, `is_authorized_dag` only take care of it in 3.1.0.
   
   Probably will be helpful if I could understand more context about why this 
need to be 3.1.0 only. Thanks!
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to