You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/03/16 03:40:41 UTC
[GitHub] [airflow] suiting-young opened a new pull request #14820: `sync_resource_permissions` should be called during initialization.
suiting-young opened a new pull request #14820:
URL: https://github.com/apache/airflow/pull/14820
- Call it in decorator declaration wastes performance,
and will raise error when not in an `app_context`.
- It needs `perms` (otherwise it's a no-op).
- 'Admin' should have all predefined (*known*) perms,
apply them is good enough (I guess).
@jhtimmins please have a review. Thanks!
---
### My Use Case
I made a plugin (_in `$AIRFLOW_HOME/plugins/`_), which mixed with web entry and RESTful API.
```py
from airflow.api_connexion import security
from airflow.www import auth
from airflow.www.app import csrf
from airflow.www.views import AirflowModelView
class MyModalView(AirflowModelView):
@auth.has_access([...])
@expose('/my/modal')
def some_web_entry(self): ...
@csrf.exempt
@security.requires_access([...])
@expose('/my/modal/rest-api-for-robot/')
def some_bot_api(self): ...
```
Then I found airflow **worker** cannot start when it load the plugin,
the `security.requires_access` failed because not in an app context.
I'd prefer `@security.requires_access` can be safely used like `@auth.has_access`.
<!--
Thank you for contributing! Please make sure that your code changes
are covered with tests. And in case of new features or big changes
remember to adjust the documentation.
Feel free to ping committers for the review!
In case of existing issue, reference it using one of the following:
closes: #ISSUE
related: #ISSUE
How to write a good git commit message:
http://chris.beams.io/posts/git-commit/
-->
---
**^ Add meaningful description above**
Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #14820:
URL: https://github.com/apache/airflow/pull/14820#issuecomment-841563746
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] suiting-young edited a comment on pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
suiting-young edited a comment on pull request #14820:
URL: https://github.com/apache/airflow/pull/14820#issuecomment-800780702
> it means that **plugins** that add custom permission (added view UI) won't ever get synced to the DB.
Yes, and No.
- A) If someone customized their installation with an extra set of API endpoints
(*similar to `airflow/api_connexion/endpoints` but outside of airflow code tree*),
then **YES**, custom permission won't work.
- B) If someone forked airflow and added their APIs directly,
then **NO**, they could add their permissions to `AirflowSecurityManager`
directly (*as they already made some changes*).
- C) If someone using the official **plugin** mechanism to add API endpoints,
then _kind of_ **NO**, as I mentioned above, the issue is blocking them to do so.
After all, I'd prefer a formal way/place to **register** permissions,
instead of current solution, which looks like a bit of hack.
So the possible solution may be let user call `security_manager.sync_resource_permissions(custom_perms)` explicitly
like we already have in `sync_appbuilder_roles`.
- For case A) allow user to register a function in `airflow.cfg` or `webserver_config.py`,
which to be called during `create_app()` or some `init_???()` function inside it.
(*may not necessary?*)
- For case C) user could do it in their overridden `AirflowPlugin.on_load()` **if the `security_manager` passed in**.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] suiting-young commented on pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
suiting-young commented on pull request #14820:
URL: https://github.com/apache/airflow/pull/14820#issuecomment-800780702
> it means that **plugins** that add custom permission (added view UI) won't ever get synced to the DB.
Yes, and No.
- A) If someone customized their installation with an extra set of API endpoints
(*similar to `airflow/api_connexion/endpoints` but outside of airflow code tree*),
then **YES**, custom permission won't work.
- B) If someone forked airflow and added their APIs directly,
then **NO**, they could add their permissions to `AirflowSecurityManager`
directly (*as they already made some changes*).
- C) If someone using the official **plugin** mechanism to add API endpoints,
then _kind of_ **NO**, as I mentioned above, the issue is blocking them to do so.
After all, I'd prefer a formal way/place to **register** permissions,
instead of current solution, which looks like a bit of hack.
So the possible solution may be let user call `security_manager.sync_resource_permissions(custom_perms)` explicitly
like we already have in `sync_appbuilder_roles`.
- For case A) allow user to register a function in `airflow.cfg`,
which to be called during `create_app()` or some `init_???()` function inside it.
(*may not necessary?*)
- For case C) user could do it in their overridden `AirflowPlugin.on_load()` **if the `security_manager` passed in**.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb commented on pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
ashb commented on pull request #14820:
URL: https://github.com/apache/airflow/pull/14820#issuecomment-800234143
> I'd prefer @security.requires_access can be safely used like @auth.has_access.
Yes, but I'm not sure about this fix -- it means that plugins that add custom permission (added view UI) won't ever get synced to the DB.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on pull request #14820:
URL: https://github.com/apache/airflow/pull/14820#issuecomment-799920486
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst)
Here are some useful points:
- Pay attention to the quality of your code (flake8, pylint and type annotations). Our [pre-commits]( https://github.com/apache/airflow/blob/master/STATIC_CODE_CHECKS.rst#prerequisites-for-pre-commit-hooks) will help you with that.
- In case of a new feature add useful documentation (in docstrings or in `docs/` directory). Adding a new operator? Check this short [guide](https://github.com/apache/airflow/blob/master/docs/apache-airflow/howto/custom-operator.rst) Consider adding an example DAG that shows how users should use it.
- Consider using [Breeze environment](https://github.com/apache/airflow/blob/master/BREEZE.rst) for testing locally, itโs a heavy docker but it ships with a working Airflow and a lot of integrations.
- Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
- Please follow [ASF Code of Conduct](https://www.apache.org/foundation/policies/conduct) for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
- Be sure to read the [Airflow Coding style]( https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#coding-style-and-best-practices).
Apache Airflow is a community-driven project and together we are making it better ๐.
In case of doubts contact the developers at:
Mailing List: dev@airflow.apache.org
Slack: https://s.apache.org/airflow-slack
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #14820:
URL: https://github.com/apache/airflow/pull/14820#issuecomment-894878206
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] closed pull request #14820: `sync_resource_permissions` should be called during initialization.
Posted by GitBox <gi...@apache.org>.
github-actions[bot] closed pull request #14820:
URL: https://github.com/apache/airflow/pull/14820
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org