• Home
• airflow.providers.fab
• airflow.providers.fab.auth_manager
• airflow.providers.fab.auth_manager.security_manager
• airflow.providers.fab.auth_manager.security_manager.override

airflow.providers.fab.auth_manager.security_manager.override

Module Contents

Classes

FabAirflowSecurityManagerOverride

This security manager overrides the default AirflowSecurityManager security manager.

Attributes

log
MAX_NUM_DATABASE_USER_SESSIONS

airflow.providers.fab.auth_manager.security_manager.override.log

airflow.providers.fab.auth_manager.security_manager.override.MAX_NUM_DATABASE_USER_SESSIONS = 50000

class airflow.providers.fab.auth_manager.security_manager.override.FabAirflowSecurityManagerOverride(appbuilder)

Bases: airflow.www.security_manager.AirflowSecurityManagerV2

This security manager overrides the default AirflowSecurityManager security manager.

This security manager is used only if the auth manager FabAuthManager is used. It defines everything in the security manager that is needed for the FabAuthManager to work. Any operation specific to the AirflowSecurityManager should be defined here instead of AirflowSecurityManager.

Parameters

appbuilder – The appbuilder.

property get_session

property auth_type

Get the auth type.

property is_auth_limited: bool

Is the auth rate limited.

property auth_rate_limit: str

Get the auth rate limit.

property auth_role_public

Get the public role.

property oauth_providers

Oauth providers.

property auth_ldap_tls_cacertdir

LDAP TLS CA certificate directory.

property auth_ldap_tls_cacertfile

LDAP TLS CA certificate file.

property auth_ldap_tls_certfile

LDAP TLS certificate file.

property auth_ldap_tls_keyfile

LDAP TLS key file.

property auth_ldap_allow_self_signed

LDAP allow self signed.

property auth_ldap_tls_demand

LDAP TLS demand.

property auth_ldap_server

Get the LDAP server object.

property auth_ldap_use_tls

Should LDAP use TLS.

property auth_ldap_bind_user

LDAP bind user.

property auth_ldap_bind_password

LDAP bind password.

property auth_ldap_search

LDAP search object.

property auth_ldap_search_filter

LDAP search filter.

property auth_ldap_uid_field

LDAP UID field.

property auth_ldap_firstname_field

LDAP first name field.

property auth_ldap_lastname_field

LDAP last name field.

property auth_ldap_email_field

LDAP email field.

property auth_ldap_append_domain

LDAP append domain.

property auth_ldap_username_format

LDAP username format.

property auth_ldap_group_field: str

LDAP group field.

property auth_roles_mapping: dict[str, list[str]]

The mapping of auth roles.

property auth_user_registration_role_jmespath: str

The JMESPATH role to use for user registration.

property auth_remote_user_env_var: str

property api_login_allow_multiple_providers

property auth_username_ci

Get the auth username for CI.

property auth_ldap_bind_first

LDAP bind first.

property openid_providers

Openid providers.

property auth_type_provider_name

property auth_user_registration

Will user self registration be allowed.

property auth_user_registration_role

The default user self registration role.

property auth_roles_sync_at_login: bool

Should roles be synced at login.

property auth_role_admin

Get the admin role.

property oauth_whitelists

property builtin_roles

Get the builtin roles.

auth_view

The obj instance for authentication view

registeruser_view

The obj instance for registering user view

user_view

The obj instance for user view

user_model

role_model

action_model

resource_model

permission_model

Views

authdbview

Override if you want your own Authentication DB view

authldapview

Override if you want your own Authentication LDAP view

authoidview

Override if you want your own Authentication OID view

authoauthview

Override if you want your own Authentication OAuth view

authremoteuserview

Override if you want your own Authentication REMOTE_USER view

registeruserdbview

Override if you want your own register user db view

registeruseroidview

Override if you want your own register user OpenID view

registeruseroauthview

Override if you want your own register user OAuth view

actionmodelview

permissionmodelview

rolemodelview

registeruser_model

registerusermodelview

resourcemodelview

userdbmodelview

resetmypasswordview

resetpasswordview

userinfoeditview

userldapmodelview

useroauthmodelview

userremoteusermodelview

useroidmodelview

userstatschartview

jwt_manager

Flask-JWT-Extended

oid

Flask-OpenID OpenID

oauth

oauth_remotes: dict[str, Any]

Initialized (remote_app) providers dict {‘provider_name’, OBJ }

oauth_user_info

oauth_allow_list: dict[str, list]

OAuth email allow list

DAG_RESOURCES

VIEWER_PERMISSIONS = [(), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (),...

USER_PERMISSIONS = [(), (), (), (), (), (), (), (), ()]

OP_PERMISSIONS = [(), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), ()]

ADMIN_PERMISSIONS = [(), (), (), (), (), (), (), (), (), ()]

ROLE_CONFIGS: list[dict[str, Any]]

RESOURCE_DETAILS_MAP

DAG_ACTIONS

register_views()

Register FAB auth manager related views.

create_login_manager()

Create the login manager.

create_jwt_manager()

Create the JWT manager.

reset_password(userid, password)

Change/Reset a user’s password for auth db.

Password will be hashed and saved.

Parameters

• userid (int) – the user id to reset the password

• password (str) – the clear text password to reset and save hashed on the db

reset_user_sessions(user)

load_user_jwt(_jwt_header, jwt_data)

create_builtin_roles()

Return FAB builtin roles.

create_admin_standalone()

Create an Admin user with a random password so that users can access airflow.

create_db()

Create the database.

Creates admin and public roles if they don’t exist.

get_readable_dags(user)

Get the DAGs readable by authenticated user.

get_editable_dags(user)

Get the DAGs editable by authenticated user.

get_accessible_dags(user_actions, user, session=NEW_SESSION)

get_accessible_dag_ids(user, user_actions=None, session=NEW_SESSION)

static get_readable_dag_ids(user=None)

Get the DAG IDs readable by authenticated user.

static get_editable_dag_ids(user=None)

Get the DAG IDs editable by authenticated user.

can_access_some_dags(action, dag_id=None)

Check if user has read or write access to some dags.

get_all_permissions()

Return all permissions as a set of tuples with the action and resource names.

create_dag_specific_permissions()

Add permissions to all DAGs.

Creates ‘can_read’, ‘can_edit’, and ‘can_delete’ permissions for all DAGs, along with any access_control permissions provided in them.

This does iterate through ALL the DAGs, which can be slow. See sync_perm_for_dag if you only need to sync a single DAG.

prefixed_dag_id(dag_id)

Return the permission name for a DAG id.

is_dag_resource(resource_name)

Determine if a resource belongs to a DAG or all DAGs.

sync_perm_for_dag(dag_id, access_control=None)

Sync permissions for given dag id.

The dag id surely exists in our dag bag as only / refresh button or DagBag will call this function.

Parameters

• dag_id (str) – the ID of the DAG whose permissions should be updated

• access_control (Mapping[str, Mapping[str, Collection[str]] | Collection[str]] | None) – a dict where each key is a role name and each value can be: - a set() of DAGs resource action names (e.g. {‘can_read’}) - or a dict where each key is a resource name (‘DAGs’ or ‘DAG Runs’) and each value is a set() of action names (e.g., {‘DAG Runs’: {‘can_create’}, ‘DAGs’: {‘can_read’}})

Returns

Return type

None

add_permissions_view(base_action_names, resource_name)

Add an action on a resource to the backend.

Parameters

• base_action_names –

  list of permissions from view (all exposed methods):

  ’can_add’,’can_edit’ etc…

• resource_name – name of the resource to add

add_permissions_menu(resource_name)

Add menu_access to resource on permission_resource.

Parameters

resource_name – The resource name

security_cleanup(baseviews, menus)

Cleanup all unused permissions from the database.

Parameters

• baseviews – A list of BaseViews class

• menus – Menu class

sync_roles()

Initialize default and custom roles with related permissions.

1. Init the default role(Admin, Viewer, User, Op, public) with related permissions.

2. Init the custom role(dag-user) with related permissions.

create_perm_vm_for_all_dag()

Create perm-vm if not exist and insert into FAB security model for all-dags.

add_homepage_access_to_custom_roles()

Add Website.can_read access to all custom roles.

update_admin_permission()

Add missing permissions to the table for admin.

Admin should get all the permissions, except the dag permissions because Admin already has Dags permission. Add the missing ones to the table for admin.

clean_perms()

FAB leaves faulty permissions that need to be cleaned up.

permission_exists_in_one_or_more_roles(resource_name, action_name, role_ids)

Efficiently check if a certain permission exists on a list of role ids; used by has_access.

Parameters

• resource_name (str) – The view’s name to check if exists on one of the roles

• action_name (str) – The permission name to check if exists

• role_ids (list[int]) – a list of Role ids

Returns

Boolean

Return type

bool

perms_include_action(perms, action_name)

init_role(role_name, perms)

Initialize the role with actions and related resources.

Parameters

• role_name –

• perms –

bulk_sync_roles(roles)

Sync the provided roles and permissions.

sync_resource_permissions(perms=None)

Populate resource-based permissions.

update_role(role_id, name)

Update a role in the database.

add_role(name)

Add a role in the database.

find_role(name)

Find a role in the database.

Parameters

name – the role name

get_all_roles()

delete_role(role_name)

Delete the given Role.

Parameters

role_name (str) – the name of a role in the ab_role table

get_roles_from_keys(role_keys)

Construct a list of FAB role objects, from a list of keys.

NOTE: - keys are things like: “LDAP group DNs” or “OAUTH group names” - we use AUTH_ROLES_MAPPING to map from keys, to FAB role names

Parameters

role_keys (list[str]) – the list of FAB role keys

get_public_role()

add_user(username, first_name, last_name, email, role, password='', hashed_password='')

Create a user.

load_user(user_id)

get_user_by_id(pk)

count_users()

Return the number of users in the database.

add_register_user(username, first_name, last_name, email, password='', hashed_password='')

Add a registration request for the user.

:rtype : RegisterUser

find_user(username=None, email=None)

Find user by username or email.

find_register_user(registration_hash)

update_user(user)

del_register_user(register_user)

Delete registration object from database.

Parameters

register_user – RegisterUser object to delete

get_all_users()

update_user_auth_stat(user, success=True)

Update user authentication stats.

This is done upon successful/unsuccessful authentication attempts.

Parameters

• user – The identified (but possibly not successfully authenticated) user model

• success – Defaults to true, if true increments login_count, updates last_login, and resets fail_login_count to 0, if false increments fail_login_count on user model.

get_action(name)

Get an existing action record.

Parameters

name (str) – name

create_action(name)

Add an action to the backend, model action.

Parameters

name – name of the action: ‘can_add’,’can_edit’ etc…

delete_action(name)

Delete a permission action.

Parameters

name (str) – Name of action to delete (e.g. can_read).

get_resource(name)

Return a resource record by name, if it exists.

Parameters

name (str) – Name of resource

create_resource(name)

Create a resource with the given name.

Parameters

name – The name of the resource to create created.

get_all_resources()

Get all existing resource records.

delete_resource(name)

Delete a Resource from the backend.

Parameters

name (str) – name of the resource

get_permission(action_name, resource_name)

Get a permission made with the given action->resource pair, if the permission already exists.

Parameters

• action_name (str) – Name of action

• resource_name (str) – Name of resource

get_resource_permissions(resource)

Retrieve permission pairs associated with a specific resource object.

Parameters

resource (airflow.providers.fab.auth_manager.models.Resource) – Object representing a single resource.

create_permission(action_name, resource_name)

Add a permission on a resource to the backend.

Parameters

• action_name – name of the action to add: ‘can_add’,’can_edit’ etc…

• resource_name – name of the resource to add

delete_permission(action_name, resource_name)

Delete the permission linking an action->resource pair.

Doesn’t delete the underlying action or resource.

Parameters

• action_name (str) – Name of existing action

• resource_name (str) – Name of existing resource

add_permission_to_role(role, permission)

Add an existing permission pair to a role.

Parameters

• role (airflow.providers.fab.auth_manager.models.Role) – The role about to get a new permission.

• permission (airflow.providers.fab.auth_manager.models.Permission | None) – The permission pair to add to a role.

remove_permission_from_role(role, permission)

Remove a permission pair from a role.

Parameters

• role (airflow.providers.fab.auth_manager.models.Role) – User role containing permissions.

• permission (airflow.providers.fab.auth_manager.models.Permission) – Object representing resource-> action pair

get_oid_identity_url(provider_name)

Return the OIDC identity provider URL.

static get_user_roles(user=None)

Get all the roles associated with the user.

Parameters

user – the ab_user in FAB model.

Returns

a list of roles associated with the user.

auth_user_ldap(username, password)

Authenticate user with LDAP.

NOTE: this depends on python-ldap module.

Parameters

• username – the username

• password – the password

auth_user_db(username, password)

Authenticate user, auth db style.

Parameters

• username – The username or registered email address

• password – The password, will be tested against hashed password on db

oauth_user_info_getter(func)

Get OAuth user info for all the providers.

Receives provider and response return a dict with the information returned from the provider. The returned user info dict should have its keys with the same name as the User Model.

Use it like this an example for GitHub

@appbuilder.sm.oauth_user_info_getter
def my_oauth_user_info(sm, provider, response=None):
    if provider == "github":
        me = sm.oauth_remotes[provider].get("user")
        return {"username": me.data.get("login")}
    return {}

get_oauth_user_info(provider, resp)

There are different OAuth APIs with different ways to retrieve user info.

All providers have different ways to retrieve user info.

static oauth_token_getter()

Get authentication (OAuth) token.

check_authorization(perms=None, dag_id=None)

Check the logged-in user has the specified permissions.

set_oauth_session(provider, oauth_response)

Set the current session with OAuth user secrets.

get_oauth_token_key_name(provider)

Return the token_key name for the oauth provider.

If none is configured defaults to oauth_token this is configured using OAUTH_PROVIDERS and token_key key.

get_oauth_token_secret_name(provider)

Get the token_secret name for the oauth provider.

If none is configured, defaults to oauth_secret. This is configured using OAUTH_PROVIDERS and token_secret.

auth_user_oauth(userinfo)

Authenticate user with OAuth.

Userinfo

dict with user information (keys are the same as User model columns)

auth_user_oid(email)

Openid user Authentication.

Parameters

email – user’s email to authenticate

auth_user_remote_user(username)

REMOTE_USER user Authentication.

Parameters

username – user’s username for remote auth

get_user_menu_access(menu_names=None)

static ldap_extract_list(ldap_dict, field_name)

static ldap_extract(ldap_dict, field_name, fallback)

filter_roles_by_perm_with_action(action_name, role_ids)

Find roles with permission.

Previous Next

Was this entry helpful?