airflow.providers.fab.auth_manager.security_manager.override¶

Attributes¶

`log`
`MAX_NUM_DATABASE_USER_SESSIONS`

Classes¶

FabAirflowSecurityManagerOverride

This security manager overrides the default AirflowSecurityManager security manager.

Module Contents¶

airflow.providers.fab.auth_manager.security_manager.override.log[source]¶

airflow.providers.fab.auth_manager.security_manager.override.MAX_NUM_DATABASE_USER_SESSIONS = 50000[source]¶

class airflow.providers.fab.auth_manager.security_manager.override.FabAirflowSecurityManagerOverride(appbuilder)[source]¶

Bases: airflow.providers.fab.www.security_manager.AirflowSecurityManagerV2

This security manager overrides the default AirflowSecurityManager security manager.

This security manager is used only if the auth manager FabAuthManager is used. It defines everything in the security manager that is needed for the FabAuthManager to work. Any operation specific to the AirflowSecurityManager should be defined here instead of AirflowSecurityManager.

Parameters:: appbuilder – The appbuilder.

auth_view = None[source]¶: The obj instance for authentication view

registeruser_view = None[source]¶: The obj instance for registering user view

user_view = None[source]¶: The obj instance for user view

user_model[source]¶

role_model[source]¶

action_model[source]¶

resource_model[source]¶

permission_model[source]¶: Views

authdbview[source]¶: Override if you want your own Authentication DB view

authldapview[source]¶: Override if you want your own Authentication LDAP view

authoidview[source]¶: Override if you want your own Authentication OID view

authoauthview[source]¶: Override if you want your own Authentication OAuth view

authremoteuserview[source]¶: Override if you want your own Authentication REMOTE_USER view

registeruserdbview[source]¶: Override if you want your own register user db view

registeruseroidview[source]¶: Override if you want your own register user OpenID view

registeruseroauthview[source]¶: Override if you want your own register user OAuth view

actionmodelview[source]¶

permissionmodelview[source]¶

rolemodelview[source]¶

registeruser_model[source]¶

registerusermodelview[source]¶

resourcemodelview[source]¶

userdbmodelview[source]¶

resetmypasswordview[source]¶

resetpasswordview[source]¶

userinfoeditview[source]¶

userldapmodelview[source]¶

useroauthmodelview[source]¶

userremoteusermodelview[source]¶

useroidmodelview[source]¶

userstatschartview[source]¶

jwt_manager = None[source]¶: Flask-JWT-Extended

oauth = None[source]¶

oauth_remotes: dict[str, Any][source]¶: Initialized (remote_app) providers dict {‘provider_name’, OBJ }

oauth_user_info = None[source]¶

oauth_allow_list: dict[str, list][source]¶: OAuth email allow list

DAG_RESOURCES[source]¶

VIEWER_PERMISSIONS[source]¶

USER_PERMISSIONS[source]¶

OP_PERMISSIONS[source]¶

ADMIN_PERMISSIONS[source]¶

ROLE_CONFIGS: list[dict[str, Any]][source]¶

RESOURCE_DETAILS_MAP[source]¶

DAG_ACTIONS[source]¶

appbuilder[source]¶

lm[source]¶

register_views()[source]¶: Register FAB auth manager related views.

property get_session[source]¶

create_login_manager()[source]¶

Create the login manager.

create_jwt_manager()[source]¶: Create the JWT manager.

reset_password(userid, password)[source]¶

Change/Reset a user’s password for auth db.

Password will be hashed and saved.

Parameters:

userid (int) – the user id to reset the password
password (str) – the clear text password to reset and save hashed on the db

reset_user_sessions(user)[source]¶

load_user_jwt(_jwt_header, jwt_data)[source]¶

property auth_type[source]¶: Get the auth type.

property is_auth_limited: bool[source]¶

Is the auth rate limited.

property auth_rate_limit: str[source]¶

Get the auth rate limit.

property auth_role_public[source]¶: Get the public role.

property oauth_providers[source]¶: Oauth providers.

property auth_ldap_tls_cacertdir[source]¶: LDAP TLS CA certificate directory.

property auth_ldap_tls_cacertfile[source]¶: LDAP TLS CA certificate file.

property auth_ldap_tls_certfile[source]¶: LDAP TLS certificate file.

property auth_ldap_tls_keyfile[source]¶: LDAP TLS key file.

property auth_ldap_allow_self_signed[source]¶: LDAP allow self signed.

property auth_ldap_tls_demand[source]¶: LDAP TLS demand.

property auth_ldap_server[source]¶: Get the LDAP server object.

property auth_ldap_use_tls[source]¶: Should LDAP use TLS.

property auth_ldap_bind_user[source]¶: LDAP bind user.

property auth_ldap_bind_password[source]¶: LDAP bind password.

property auth_ldap_search[source]¶: LDAP search object.

property auth_ldap_search_filter[source]¶: LDAP search filter.

property auth_ldap_uid_field[source]¶: LDAP UID field.

property auth_ldap_firstname_field[source]¶: LDAP first name field.

property auth_ldap_lastname_field[source]¶: LDAP last name field.

property auth_ldap_email_field[source]¶: LDAP email field.

property auth_ldap_append_domain[source]¶: LDAP append domain.

property auth_ldap_username_format[source]¶: LDAP username format.

property auth_ldap_group_field: str[source]¶

LDAP group field.

property auth_roles_mapping: dict[str, list[str]][source]¶

The mapping of auth roles.

property auth_username_ci[source]¶: Get the auth username for CI.

property auth_user_registration[source]¶: Will user self registration be allowed.

property auth_user_registration_role[source]¶: The default user self registration role.

property auth_roles_sync_at_login: bool[source]¶

Should roles be synced at login.

property auth_role_admin[source]¶: Get the admin role.

create_builtin_roles()[source]¶: Return FAB builtin roles.

property builtin_roles[source]¶: Get the builtin roles.

create_admin_standalone()[source]¶

Create an Admin user with a random password so that users can access airflow.

create_db()[source]¶

Create the database.

Creates admin and public roles if they don’t exist.

get_all_permissions()[source]¶

Return all permissions as a set of tuples with the action and resource names.

create_dag_specific_permissions()[source]¶

Add permissions to all DAGs.

Creates ‘can_read’, ‘can_edit’, and ‘can_delete’ permissions for all DAGs, along with any access_control permissions provided in them.

This does iterate through ALL the DAGs, which can be slow. See sync_perm_for_dag if you only need to sync a single DAG.

sync_perm_for_dag(dag_id, access_control=None)[source]¶

Sync permissions for given dag id.

The dag id surely exists in our dag bag as only / refresh button or DagBag will call this function.

Parameters:

dag_id (str) – the ID of the DAG whose permissions should be updated
access_control (collections.abc.Mapping[str, collections.abc.Mapping[str, collections.abc.Collection[str]] | collections.abc.Collection[str]] | None) – a dict where each key is a role name and each value can be: - a set() of DAGs resource action names (e.g. {‘can_read’}) - or a dict where each key is a resource name (‘DAGs’ or ‘DAG Runs’) and each value is a set() of action names (e.g., {‘DAG Runs’: {‘can_create’}, ‘DAGs’: {‘can_read’}})

Returns:

Return type:

None

add_permissions_view(base_action_names, resource_name)[source]¶

Add an action on a resource to the backend.

Parameters:

base_action_names –

list of permissions from view (all exposed methods):
’can_add’,’can_edit’ etc…
resource_name – name of the resource to add

add_permissions_menu(resource_name)[source]¶

Add menu_access to resource on permission_resource.

Parameters:: resource_name – The resource name

sync_roles()[source]¶

Initialize default and custom roles with related permissions.

Init the default role(Admin, Viewer, User, Op, public) with related permissions.
Init the custom role(dag-user) with related permissions.

create_perm_vm_for_all_dag()[source]¶

Create perm-vm if not exist and insert into FAB security model for all-dags.

add_homepage_access_to_custom_roles()[source]¶

Add Website.can_read access to all custom roles.

update_admin_permission()[source]¶

Add missing permissions to the table for admin.

Admin should get all the permissions, except the dag permissions because Admin already has Dags permission. Add the missing ones to the table for admin.

clean_perms()[source]¶

FAB leaves faulty permissions that need to be cleaned up.

perms_include_action(perms, action_name)[source]¶

bulk_sync_roles(roles)[source]¶

Sync the provided roles and permissions.

update_role(role_id, name)[source]¶

Update a role in the database.

add_role(name)[source]¶

Add a role in the database.

find_role(name)[source]¶

Find a role in the database.

Parameters:: name – the role name

get_all_roles()[source]¶

delete_role(role_name)[source]¶

Delete the given Role.

Parameters:: role_name (str) – the name of a role in the ab_role table

get_roles_from_keys(role_keys)[source]¶

Construct a list of FAB role objects, from a list of keys.

NOTE: - keys are things like: “LDAP group DNs” or “OAUTH group names” - we use AUTH_ROLES_MAPPING to map from keys, to FAB role names

Parameters:: role_keys (list[str]) – the list of FAB role keys

get_public_role()[source]¶

add_user(username, first_name, last_name, email, role, password='', hashed_password='')[source]¶: Create a user.

load_user(user_id)[source]¶

get_user_by_id(pk)[source]¶

count_users()[source]¶: Return the number of users in the database.

add_register_user(username, first_name, last_name, email, password='', hashed_password='')[source]¶

Add a registration request for the user.

:rtype : RegisterUser

find_user(username=None, email=None)[source]¶: Find user by username or email.

update_user(user)[source]¶

del_register_user(register_user)[source]¶

Delete registration object from database.

Parameters:: register_user – RegisterUser object to delete

get_all_users()[source]¶

update_user_auth_stat(user, success=True)[source]¶

Update user authentication stats.

This is done upon successful/unsuccessful authentication attempts.

Parameters:

user – The identified (but possibly not successfully authenticated) user model
success – Defaults to true, if true increments login_count, updates last_login, and resets fail_login_count to 0, if false increments fail_login_count on user model.

get_action(name)[source]¶

Get an existing action record.

Parameters:: name (str) – name

create_action(name)[source]¶

Add an action to the backend, model action.

Parameters:: name – name of the action: ‘can_add’,’can_edit’ etc…

delete_action(name)[source]¶

Delete a permission action.

Parameters:: name (str) – Name of action to delete (e.g. can_read).

get_resource(name)[source]¶

Return a resource record by name, if it exists.

Parameters:: name (str) – Name of resource

create_resource(name)[source]¶

Create a resource with the given name.

Parameters:: name – The name of the resource to create created.

get_permission(action_name, resource_name)[source]¶

Get a permission made with the given action->resource pair, if the permission already exists.

Parameters:

action_name (str) – Name of action
resource_name (str) – Name of resource

get_resource_permissions(resource)[source]¶

Retrieve permission pairs associated with a specific resource object.

Parameters:: resource (airflow.providers.fab.auth_manager.models.Resource) – Object representing a single resource.

create_permission(action_name, resource_name)[source]¶

Add a permission on a resource to the backend.

Parameters:

action_name – name of the action to add: ‘can_add’,’can_edit’ etc…
resource_name – name of the resource to add

delete_permission(action_name, resource_name)[source]¶

Delete the permission linking an action->resource pair.

Doesn’t delete the underlying action or resource.

Parameters:

action_name (str) – Name of existing action
resource_name (str) – Name of existing resource

add_permission_to_role(role, permission)[source]¶

Add an existing permission pair to a role.

Parameters:

role (airflow.providers.fab.auth_manager.models.Role) – The role about to get a new permission.
permission (airflow.providers.fab.auth_manager.models.Permission | None) – The permission pair to add to a role.

remove_permission_from_role(role, permission)[source]¶

Remove a permission pair from a role.

Parameters:

role (airflow.providers.fab.auth_manager.models.Role) – User role containing permissions.
permission (airflow.providers.fab.auth_manager.models.Permission) – Object representing resource-> action pair

static get_user_roles(user=None)[source]¶

Get all the roles associated with the user.

Parameters:: user – the ab_user in FAB model.
Returns:: a list of roles associated with the user.

auth_user_ldap(username, password)[source]¶

Authenticate user with LDAP.

NOTE: this depends on python-ldap module.

Parameters:

username – the username
password – the password

check_password(username, password)[source]¶

Check if the password is correct for the username.

Parameters:

username – the username
password – the password

auth_user_db(username, password)[source]¶

Authenticate user, auth db style.

Parameters:

username – The username or registered email address
password – The password, will be tested against hashed password on db

get_oauth_user_info(provider, resp)[source]¶

There are different OAuth APIs with different ways to retrieve user info.

All providers have different ways to retrieve user info.

static oauth_token_getter()[source]¶: Get authentication (OAuth) token.

static ldap_extract_list(ldap_dict, field_name)[source]¶

static ldap_extract(ldap_dict, field_name, fallback)[source]¶