airflow.providers.fab.auth_manager.security_manager.override
¶
Module Contents¶
Classes¶
This security manager overrides the default AirflowSecurityManager security manager. |
Attributes¶
- airflow.providers.fab.auth_manager.security_manager.override.MAX_NUM_DATABASE_USER_SESSIONS = 50000[source]¶
- class airflow.providers.fab.auth_manager.security_manager.override.FabAirflowSecurityManagerOverride(appbuilder)[source]¶
Bases:
airflow.www.security_manager.AirflowSecurityManagerV2
This security manager overrides the default AirflowSecurityManager security manager.
This security manager is used only if the auth manager FabAuthManager is used. It defines everything in the security manager that is needed for the FabAuthManager to work. Any operation specific to the AirflowSecurityManager should be defined here instead of AirflowSecurityManager.
- Parameters
appbuilder – The appbuilder.
- property auth_user_registration_role_jmespath: str[source]¶
The JMESPATH role to use for user registration.
- oauth_remotes: dict[str, Any][source]¶
Initialized (remote_app) providers dict {‘provider_name’, OBJ }
- VIEWER_PERMISSIONS = [(), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (),...[source]¶
- OP_PERMISSIONS = [(), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), ()][source]¶
- reset_password(userid, password)[source]¶
Change/Reset a user’s password for auth db.
Password will be hashed and saved.
- create_admin_standalone()[source]¶
Create an Admin user with a random password so that users can access airflow.
- can_access_some_dags(action, dag_id=None)[source]¶
Check if user has read or write access to some dags.
- get_all_permissions()[source]¶
Return all permissions as a set of tuples with the action and resource names.
- create_dag_specific_permissions()[source]¶
Add permissions to all DAGs.
Creates ‘can_read’, ‘can_edit’, and ‘can_delete’ permissions for all DAGs, along with any access_control permissions provided in them.
This does iterate through ALL the DAGs, which can be slow. See sync_perm_for_dag if you only need to sync a single DAG.
- sync_perm_for_dag(dag_id, access_control=None)[source]¶
Sync permissions for given dag id.
The dag id surely exists in our dag bag as only / refresh button or DagBag will call this function.
- Parameters
dag_id (str) – the ID of the DAG whose permissions should be updated
access_control (collections.abc.Mapping[str, collections.abc.Mapping[str, collections.abc.Collection[str]] | collections.abc.Collection[str]] | None) – a dict where each key is a role name and each value can be: - a set() of DAGs resource action names (e.g. {‘can_read’}) - or a dict where each key is a resource name (‘DAGs’ or ‘DAG Runs’) and each value is a set() of action names (e.g., {‘DAG Runs’: {‘can_create’}, ‘DAGs’: {‘can_read’}})
- Returns
- Return type
None
- add_permissions_view(base_action_names, resource_name)[source]¶
Add an action on a resource to the backend.
- Parameters
base_action_names –
- list of permissions from view (all exposed methods):
’can_add’,’can_edit’ etc…
resource_name – name of the resource to add
Add menu_access to resource on permission_resource.
- Parameters
resource_name – The resource name
- security_cleanup(baseviews, menus)[source]¶
Cleanup all unused permissions from the database.
- Parameters
baseviews – A list of BaseViews class
menus – Menu class
- sync_roles()[source]¶
Initialize default and custom roles with related permissions.
Init the default role(Admin, Viewer, User, Op, public) with related permissions.
Init the custom role(dag-user) with related permissions.
- create_perm_vm_for_all_dag()[source]¶
Create perm-vm if not exist and insert into FAB security model for all-dags.
- update_admin_permission()[source]¶
Add missing permissions to the table for admin.
Admin should get all the permissions, except the dag permissions because Admin already has Dags permission. Add the missing ones to the table for admin.
- permission_exists_in_one_or_more_roles(resource_name, action_name, role_ids)[source]¶
Efficiently check if a certain permission exists on a list of role ids; used by has_access.
- delete_role(role_name)[source]¶
Delete the given Role.
- Parameters
role_name (str) – the name of a role in the ab_role table
- get_roles_from_keys(role_keys)[source]¶
Construct a list of FAB role objects, from a list of keys.
NOTE: - keys are things like: “LDAP group DNs” or “OAUTH group names” - we use AUTH_ROLES_MAPPING to map from keys, to FAB role names
- add_user(username, first_name, last_name, email, role, password='', hashed_password='')[source]¶
Create a user.
- add_register_user(username, first_name, last_name, email, password='', hashed_password='')[source]¶
Add a registration request for the user.
:rtype : RegisterUser
- del_register_user(register_user)[source]¶
Delete registration object from database.
- Parameters
register_user – RegisterUser object to delete
- update_user_auth_stat(user, success=True)[source]¶
Update user authentication stats.
This is done upon successful/unsuccessful authentication attempts.
- Parameters
user – The identified (but possibly not successfully authenticated) user model
success – Defaults to true, if true increments login_count, updates last_login, and resets fail_login_count to 0, if false increments fail_login_count on user model.
- create_action(name)[source]¶
Add an action to the backend, model action.
- Parameters
name – name of the action: ‘can_add’,’can_edit’ etc…
- delete_action(name)[source]¶
Delete a permission action.
- Parameters
name (str) – Name of action to delete (e.g. can_read).
- get_resource(name)[source]¶
Return a resource record by name, if it exists.
- Parameters
name (str) – Name of resource
- create_resource(name)[source]¶
Create a resource with the given name.
- Parameters
name – The name of the resource to create created.
- delete_resource(name)[source]¶
Delete a Resource from the backend.
- Parameters
name (str) – name of the resource
- get_permission(action_name, resource_name)[source]¶
Get a permission made with the given action->resource pair, if the permission already exists.
- get_resource_permissions(resource)[source]¶
Retrieve permission pairs associated with a specific resource object.
- Parameters
resource (airflow.providers.fab.auth_manager.models.Resource) – Object representing a single resource.
- create_permission(action_name, resource_name)[source]¶
Add a permission on a resource to the backend.
- Parameters
action_name – name of the action to add: ‘can_add’,’can_edit’ etc…
resource_name – name of the resource to add
- delete_permission(action_name, resource_name)[source]¶
Delete the permission linking an action->resource pair.
Doesn’t delete the underlying action or resource.
- add_permission_to_role(role, permission)[source]¶
Add an existing permission pair to a role.
- Parameters
role (airflow.providers.fab.auth_manager.models.Role) – The role about to get a new permission.
permission (airflow.providers.fab.auth_manager.models.Permission | None) – The permission pair to add to a role.
- remove_permission_from_role(role, permission)[source]¶
Remove a permission pair from a role.
- Parameters
role (airflow.providers.fab.auth_manager.models.Role) – User role containing permissions.
permission (airflow.providers.fab.auth_manager.models.Permission) – Object representing resource-> action pair
- static get_user_roles(user=None)[source]¶
Get all the roles associated with the user.
- Parameters
user – the ab_user in FAB model.
- Returns
a list of roles associated with the user.
- auth_user_ldap(username, password)[source]¶
Authenticate user with LDAP.
NOTE: this depends on python-ldap module.
- Parameters
username – the username
password – the password
- auth_user_db(username, password)[source]¶
Authenticate user, auth db style.
- Parameters
username – The username or registered email address
password – The password, will be tested against hashed password on db
- oauth_user_info_getter(func)[source]¶
Get OAuth user info for all the providers.
Receives provider and response return a dict with the information returned from the provider. The returned user info dict should have its keys with the same name as the User Model.
Use it like this an example for GitHub
@appbuilder.sm.oauth_user_info_getter def my_oauth_user_info(sm, provider, response=None): if provider == "github": me = sm.oauth_remotes[provider].get("user") return {"username": me.data.get("login")} return {}
- get_oauth_user_info(provider, resp)[source]¶
There are different OAuth APIs with different ways to retrieve user info.
All providers have different ways to retrieve user info.
- check_authorization(perms=None, dag_id=None)[source]¶
Check the logged-in user has the specified permissions.
- set_oauth_session(provider, oauth_response)[source]¶
Set the current session with OAuth user secrets.
- get_oauth_token_key_name(provider)[source]¶
Return the token_key name for the oauth provider.
If none is configured defaults to oauth_token this is configured using OAUTH_PROVIDERS and token_key key.
- get_oauth_token_secret_name(provider)[source]¶
Get the
token_secret
name for the oauth provider.If none is configured, defaults to
oauth_secret
. This is configured usingOAUTH_PROVIDERS
andtoken_secret
.
- auth_user_oauth(userinfo)[source]¶
Authenticate user with OAuth.
- Userinfo
dict with user information (keys are the same as User model columns)
- auth_user_oid(email)[source]¶
Openid user Authentication.
- Parameters
email – user’s email to authenticate
- auth_user_remote_user(username)[source]¶
REMOTE_USER user Authentication.
- Parameters
username – user’s username for remote auth