airflow.providers.fab.auth_manager.fab_auth_manager¶

Classes¶

FabAuthManager

Flask-AppBuilder auth manager.

Functions¶

get_parser()

Generate documentation; used by Sphinx argparse.

Module Contents¶

class airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager(context=None)[source]¶

Bases: airflow.auth.managers.base_auth_manager.BaseAuthManager[airflow.providers.fab.auth_manager.models.User]

Flask-AppBuilder auth manager.

This auth manager is responsible for providing a backward compatible user management experience to users.

appbuilder: airflow.providers.fab.www.extensions.init_appbuilder.AirflowAppBuilder | None = None[source]¶

init()[source]¶

Run operations when Airflow is initializing.

static get_cli_commands()[source]¶

Vends CLI commands to be included in Airflow CLI.

get_fastapi_app()[source]¶

Specify a sub FastAPI application specific to the auth manager.

This sub application, if specified, is mounted in the main FastAPI application.

get_api_endpoints()[source]¶

Return API endpoint(s) definition for the auth manager.

get_user_display_name()[source]¶

Return the user’s display name associated to the user in session.

get_user()[source]¶

Return the user associated to the user in session.

Attempt to find the current user in g.user, as defined by the kerberos authentication backend. If no such user is found, return the current_user local proxy object, linked to the user session.

deserialize_user(token)[source]¶

Create a user object from dict.

serialize_user(user)[source]¶

Create a dict from a user object.

is_logged_in()[source]¶

Return whether the user is logged in.

is_authorized_configuration(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on configuration.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on
details (airflow.auth.managers.models.resource_details.ConfigurationDetails | None) – optional details about the configuration

is_authorized_connection(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a connection.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on
details (airflow.auth.managers.models.resource_details.ConnectionDetails | None) – optional details about the connection

is_authorized_dag(*, method, user, access_entity=None, details=None)[source]¶

Return whether the user is authorized to access the dag.

There are multiple scenarios:

1. dag_access is not provided which means the user wants to access the DAG itself and not a sub entity (e.g. DAG runs). 2. dag_access is provided which means the user wants to access a sub entity of the DAG (e.g. DAG runs).

If method is GET, then check the user has READ permissions on the DAG and the sub entity.

Else, check the user has EDIT permissions on the DAG and method on the sub entity. However,
if no specific DAG is targeted, just check the sub entity.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod) – The method to authorize.
user (airflow.providers.fab.auth_manager.models.User) – The user.
access_entity (airflow.auth.managers.models.resource_details.DagAccessEntity | None) – The dag access entity.
details (airflow.auth.managers.models.resource_details.DagDetails | None) – The dag details.

is_authorized_asset(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on an asset.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on
details (airflow.providers.common.compat.assets.AssetDetails | None) – optional details about the asset

is_authorized_pool(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a pool.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on
details (airflow.auth.managers.models.resource_details.PoolDetails | None) – optional details about the pool

is_authorized_variable(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a variable.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on
details (airflow.auth.managers.models.resource_details.VariableDetails | None) – optional details about the variable

is_authorized_view(*, access_view, user)[source]¶

Return whether the user is authorized to access a read-only state of the installation.

Parameters:

access_view (airflow.auth.managers.models.resource_details.AccessView) – the specific read-only view/state the authorization request is about.
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on

is_authorized_custom_view(*, method, resource_name, user)[source]¶

Return whether the user is authorized to perform a given action on a custom view.

A custom view can be a view defined as part of the auth manager. This view is then only available when the auth manager is used as part of the environment. It can also be a view defined as part of a plugin defined by a user.

Parameters:

method (airflow.auth.managers.base_auth_manager.ResourceMethod | str) – the method to perform. The method can also be a string if the action has been defined in a plugin. In that case, the action can be anything (e.g. can_do). See https://github.com/apache/airflow/issues/39144
resource_name (str) – the name of the resource
user (airflow.providers.fab.auth_manager.models.User) – the user to perform the action on

get_permitted_dag_ids(*, user, methods=None, session=NEW_SESSION)[source]¶

Get readable or writable DAGs for user.

By default, reads all the DAGs and check individually if the user has permissions to access the DAG. Can lead to some poor performance. It is recommended to override this method in the auth manager implementation to provide a more efficient implementation.

Parameters:

user (airflow.providers.fab.auth_manager.models.User) – the user
methods (collections.abc.Container[airflow.auth.managers.base_auth_manager.ResourceMethod] | None) – whether filter readable or writable
session (sqlalchemy.orm.Session) – the session

filter_permitted_menu_items(menu_items)[source]¶

Filter menu items based on user permissions.

Parameters:: menu_items (list[flask_appbuilder.menu.MenuItem]) – list of all menu items

property security_manager: airflow.providers.fab.auth_manager.security_manager.override.FabAirflowSecurityManagerOverride[source]¶

Return the security manager specific to FAB.

get_url_login(**kwargs)[source]¶

Return the login page url.

get_url_logout()[source]¶: Return the logout page url.

get_url_user_profile()[source]¶

Return the url to a page displaying info about the current user.

register_views()[source]¶

Register views specific to the auth manager.

airflow.providers.fab.auth_manager.fab_auth_manager.get_parser()[source]¶

Generate documentation; used by Sphinx argparse.