qaziashikin opened a new pull request, #67987:
URL: https://github.com/apache/airflow/pull/67987
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!--
Thank you for contributing!
Please provide above a brief description of the changes made in this pull
request.
Write a good git commit message following this guide:
http://chris.beams.io/posts/git-commit/
Please make sure that your code changes are covered with tests.
And in case of new features or big changes remember to adjust the
documentation.
Feel free to ping (in general) for the review if you do not see reaction for
a few days
(72 Hours is the minimum reaction time you can expect from volunteers) - we
sometimes miss notifications.
In case of an existing issue, reference it using one of the following:
* closes: #ISSUE
* related: #ISSUE
-->
TLDR: Scoping notebook output reads to project S3 prefix
The hook reads notebook outputs from a fixed bucket-root key:
```
s3://<bucket>/sys/notebooks/<notebook_id>/runs/<run_id>/notebook_outputs.json
```
That works for IAM domains (the bucket has no per-project prefix) but fails
closed for IDC domains, whose project role only grants S3 access under the
project's own scope:
```
s3:PutObject / s3:GetObject on
<bucket>/${aws:PrincipalTag/AmazonDataZoneDomain}/
${aws:PrincipalTag/AmazonDataZoneProject}/*
```
The kernel that writes the file is moving to use the project's full
ProjectS3Path (`s3://<bucket>/<domain>/<project>/<scope>`) as the prefix,
matching the role's allowed key space. Mirror that on the read side here:
- `get_project_s3_path` now returns `(bucket, prefix)`. `prefix` is the
path component of the `s3BucketPath` provisioned resource. For IAM domains
`prefix` is `""` and behavior is unchanged. For IDC domains `prefix` is
`"<domain>/<project>/<scope>"`.
- `get_notebook_outputs` prepends `prefix` when constructing the output
key, so reads target the same path the kernel writes to.
#### Testing
Tested by invoking the DAGs both IAM and IDC domains.
---
##### Was generative AI tooling used to co-author this PR?
<!--
If generative AI tooling has been used in the process of authoring this PR,
please
change below checkbox to `[X]` followed by the name of the tool, uncomment
the "Generated-by".
-->
- [X] Yes (please specify the tool below)
<!--
Generated-by: [Tool Name] following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
-->
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
