You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/03/23 04:34:00 UTC
[GitHub] [airflow] jhtimmins opened a new pull request #14946: Standardize default fab perms
jhtimmins opened a new pull request #14946:
URL: https://github.com/apache/airflow/pull/14946
This PR applies the Stable API permissions model to the existing FAB permission views. It also adds tests.
In order to merge, the new /users endpoint was updated to use the FAB permissions model.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-805443259
[The Workflow run](https://github.com/apache/airflow/actions/runs/681594826) is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r606511153
##########
File path: airflow/www/views.py
##########
@@ -3806,3 +3822,204 @@ def autocomplete(self, session=None):
payload = [row[0] for row in dag_ids_query.union(owners_query).limit(10).all()]
return wwwutils.json_response(payload)
+
+
+class CustomPermissionModelView(PermissionModelView):
+ """Customize permission names for FAB's builtin PermissionModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomPermissionViewModelView(PermissionViewModelView):
+ """Customize permission names for FAB's builtin PermissionViewModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION_VIEW
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomResetMyPasswordView(ResetMyPasswordView):
+ """Customize permission names for FAB's builtin ResetMyPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomResetPasswordView(ResetPasswordView):
+ """Customize permission names for FAB's builtin ResetPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomRoleModelView(RoleModelView):
+ """Customize permission names for FAB's builtin RoleModelView."""
+
+ class_permission_name = permissions.RESOURCE_ROLE
+ method_permission_name = {
+ 'delete': 'delete',
+ 'download': 'read',
+ 'show': 'read',
+ 'list': 'read',
+ 'edit': 'edit',
+ 'add': 'create',
+ 'copy_role': 'create',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_CREATE,
+ permissions.ACTION_CAN_READ,
+ permissions.ACTION_CAN_EDIT,
+ permissions.ACTION_CAN_DELETE,
+ ]
+
+
+class CustomViewMenuModelView(ViewMenuModelView):
+ """Customize permission names for FAB's builtin ViewMenuModelView."""
+
+ class_permission_name = permissions.RESOURCE_VIEW_MENU
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomUserDBModelView(UserDBModelView):
+ """Customize permission names for FAB's builtin UserDBModelView."""
+
+ _class_permission_name = permissions.RESOURCE_USER
+
+ class_permission_name_mapping = {
+ 'resetmypassword': permissions.RESOURCE_MY_PASSWORD,
+ 'resetpasswords': permissions.RESOURCE_PASSWORD,
Review comment:
What's the difference between this two? Just want to make sure we don't accidentally give permissions to a user to change password for other users :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
kaxil commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-806984533
Rebased to latest master to fix the failing errors around providers
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins merged pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
jhtimmins merged pull request #14946:
URL: https://github.com/apache/airflow/pull/14946
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-811519584
@ashb This updates the permission model, so #14840 will need to integrate these changes.
Can you and @kaxil take a look?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r611915519
##########
File path: airflow/migrations/versions/a13f7613ad25_resource_based_permissions_for_default_.py
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Resource based permissions for default FAB views.
+
+Revision ID: a13f7613ad25
+Revises: 2e42bb497a22
+Create Date: 2021-03-20 21:23:05.793378
+
+"""
+import logging
+
+from airflow.security import permissions
+from airflow.www.app import create_app
+
+# revision identifiers, used by Alembic.
+revision = 'a13f7613ad25'
+down_revision = '2e42bb497a22'
+branch_labels = None
+depends_on = None
+
+
+mapping = {
+ ("PermissionModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
+ ],
+ ("PermissionViewModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION_VIEW),
+ ],
+ ("ResetMyPasswordView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("ResetMyPasswordView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("ResetPasswordView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
+ ],
+ ("ResetPasswordView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_PASSWORD),
+ ],
+ ("RoleModelView", "can_delete"): [
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_download"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_show"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_edit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_add"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_copyrole"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
+ ],
+ ("ViewMenuModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_add"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserDBModelView", "can_download"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_show"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_edit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "resetmypassword"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("UserDBModelView", "resetpasswords"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
+ ],
+ ("UserDBModelView", "userinfoedit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserDBModelView", "can_delete"): [
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserInfoEditView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserInfoEditView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserStatsChartView", "can_chart"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_USER_STATS_CHART),
+ ],
+ ("UserLDAPModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserOAuthModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserOIDModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserRemoteUserModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("DagRunModelView", "can_clear"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_TASK_INSTANCE),
+ ],
+}
+
+
+def remap_permissions():
+ """Apply Map Airflow view permissions."""
+ appbuilder = create_app(config={'FAB_UPDATE_PERMS': False}).appbuilder
Review comment:
@ashb What would be the purpose of that?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r606513352
##########
File path: airflow/www/views.py
##########
@@ -3806,3 +3822,204 @@ def autocomplete(self, session=None):
payload = [row[0] for row in dag_ids_query.union(owners_query).limit(10).all()]
return wwwutils.json_response(payload)
+
+
+class CustomPermissionModelView(PermissionModelView):
+ """Customize permission names for FAB's builtin PermissionModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomPermissionViewModelView(PermissionViewModelView):
+ """Customize permission names for FAB's builtin PermissionViewModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION_VIEW
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomResetMyPasswordView(ResetMyPasswordView):
+ """Customize permission names for FAB's builtin ResetMyPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomResetPasswordView(ResetPasswordView):
+ """Customize permission names for FAB's builtin ResetPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomRoleModelView(RoleModelView):
+ """Customize permission names for FAB's builtin RoleModelView."""
+
+ class_permission_name = permissions.RESOURCE_ROLE
+ method_permission_name = {
+ 'delete': 'delete',
+ 'download': 'read',
+ 'show': 'read',
+ 'list': 'read',
+ 'edit': 'edit',
+ 'add': 'create',
+ 'copy_role': 'create',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_CREATE,
+ permissions.ACTION_CAN_READ,
+ permissions.ACTION_CAN_EDIT,
+ permissions.ACTION_CAN_DELETE,
+ ]
+
+
+class CustomViewMenuModelView(ViewMenuModelView):
+ """Customize permission names for FAB's builtin ViewMenuModelView."""
+
+ class_permission_name = permissions.RESOURCE_VIEW_MENU
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomUserDBModelView(UserDBModelView):
+ """Customize permission names for FAB's builtin UserDBModelView."""
+
+ _class_permission_name = permissions.RESOURCE_USER
+
+ class_permission_name_mapping = {
+ 'resetmypassword': permissions.RESOURCE_MY_PASSWORD,
+ 'resetpasswords': permissions.RESOURCE_PASSWORD,
+ 'userinfoedit': permissions.RESOURCE_MY_PROFILE,
+ 'userinfo': permissions.RESOURCE_MY_PROFILE,
+ }
+
+ method_permission_name = {
+ 'add': 'create',
+ 'userinfo': 'read',
+ 'download': 'read',
+ 'show': 'read',
+ 'list': 'read',
+ 'edit': 'edit',
+ 'resetmypassword': 'read',
+ 'resetpasswords': 'read',
+ 'userinfoedit': 'edit',
+ 'delete': 'delete',
+ }
+
+ base_permissions = [
+ permissions.ACTION_CAN_CREATE,
+ permissions.ACTION_CAN_READ,
+ permissions.ACTION_CAN_EDIT,
+ permissions.ACTION_CAN_DELETE,
+ ]
+
+ @property
+ def class_permission_name(self):
+ """Returns appropriate permission name depending on request method name."""
+ if request:
+ action_name = request.view_args.get("name")
+ _, method_name = request.url_rule.endpoint.split(".")
+ if method_name == 'action' and action_name:
+ return self.class_permission_name_mapping.get(action_name, self._class_permission_name)
+ if method_name:
+ return self.class_permission_name_mapping.get(method_name, self._class_permission_name)
+
+ return self._class_permission_name
+
+ @class_permission_name.setter
+ def class_permission_name(self, name):
+ self._class_permission_name = name
+
+
+class CustomUserInfoEditView(UserInfoEditView):
+ """Customize permission names for FAB's builtin UserInfoEditView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PROFILE
+ route_base = "/userinfoeditview"
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomUserStatsChartView(UserStatsChartView):
+ """Customize permission names for FAB's builtin UserStatsChartView."""
+
+ class_permission_name = permissions.RESOURCE_USER_STATS_CHART
+ route_base = "/userstatschartview"
+ method_permission_name = {
+ 'chart': 'read',
+ }
+ base_permissions = [permissions.ACTION_CAN_READ]
+
+
+class CustomUserLDAPModelView(UserLDAPModelView):
+ """Customize permission names for FAB's builtin UserLDAPModelView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PROFILE
Review comment:
Is there a specific reason we call `"/userstatschartview"` as `RESOURCE_USER_STATS_CHART` but for `userinfo` one we call it `RESOURCE_MY_PROFILE`
i.e. `RESOURCE_MY` vs `RESOURCE_USER`. Should we standardize it to say `RESOURCE_USER_STATS_CHART` and the other one as `RESOURCE_USER_PROFILE`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
ashb commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r611917712
##########
File path: airflow/migrations/versions/a13f7613ad25_resource_based_permissions_for_default_.py
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Resource based permissions for default FAB views.
+
+Revision ID: a13f7613ad25
+Revises: 2e42bb497a22
+Create Date: 2021-03-20 21:23:05.793378
+
+"""
+import logging
+
+from airflow.security import permissions
+from airflow.www.app import create_app
+
+# revision identifiers, used by Alembic.
+revision = 'a13f7613ad25'
+down_revision = '2e42bb497a22'
+branch_labels = None
+depends_on = None
+
+
+mapping = {
+ ("PermissionModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
+ ],
+ ("PermissionViewModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION_VIEW),
+ ],
+ ("ResetMyPasswordView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("ResetMyPasswordView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("ResetPasswordView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
+ ],
+ ("ResetPasswordView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_PASSWORD),
+ ],
+ ("RoleModelView", "can_delete"): [
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_download"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_show"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_edit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_add"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_copyrole"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
+ ],
+ ("ViewMenuModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_add"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserDBModelView", "can_download"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_show"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_edit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "resetmypassword"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("UserDBModelView", "resetpasswords"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
+ ],
+ ("UserDBModelView", "userinfoedit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserDBModelView", "can_delete"): [
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserInfoEditView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserInfoEditView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserStatsChartView", "can_chart"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_USER_STATS_CHART),
+ ],
+ ("UserLDAPModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserOAuthModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserOIDModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserRemoteUserModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("DagRunModelView", "can_clear"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_TASK_INSTANCE),
+ ],
+}
+
+
+def remap_permissions():
+ """Apply Map Airflow view permissions."""
+ appbuilder = create_app(config={'FAB_UPDATE_PERMS': False}).appbuilder
Review comment:
I honestly couldn't tell you anymore.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r611729803
##########
File path: airflow/www/views.py
##########
@@ -3806,3 +3822,204 @@ def autocomplete(self, session=None):
payload = [row[0] for row in dag_ids_query.union(owners_query).limit(10).all()]
return wwwutils.json_response(payload)
+
+
+class CustomPermissionModelView(PermissionModelView):
+ """Customize permission names for FAB's builtin PermissionModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomPermissionViewModelView(PermissionViewModelView):
+ """Customize permission names for FAB's builtin PermissionViewModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION_VIEW
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomResetMyPasswordView(ResetMyPasswordView):
+ """Customize permission names for FAB's builtin ResetMyPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomResetPasswordView(ResetPasswordView):
+ """Customize permission names for FAB's builtin ResetPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomRoleModelView(RoleModelView):
+ """Customize permission names for FAB's builtin RoleModelView."""
+
+ class_permission_name = permissions.RESOURCE_ROLE
+ method_permission_name = {
+ 'delete': 'delete',
+ 'download': 'read',
+ 'show': 'read',
+ 'list': 'read',
+ 'edit': 'edit',
+ 'add': 'create',
+ 'copy_role': 'create',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_CREATE,
+ permissions.ACTION_CAN_READ,
+ permissions.ACTION_CAN_EDIT,
+ permissions.ACTION_CAN_DELETE,
+ ]
+
+
+class CustomViewMenuModelView(ViewMenuModelView):
+ """Customize permission names for FAB's builtin ViewMenuModelView."""
+
+ class_permission_name = permissions.RESOURCE_VIEW_MENU
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomUserDBModelView(UserDBModelView):
+ """Customize permission names for FAB's builtin UserDBModelView."""
+
+ _class_permission_name = permissions.RESOURCE_USER
+
+ class_permission_name_mapping = {
+ 'resetmypassword': permissions.RESOURCE_MY_PASSWORD,
+ 'resetpasswords': permissions.RESOURCE_PASSWORD,
+ 'userinfoedit': permissions.RESOURCE_MY_PROFILE,
+ 'userinfo': permissions.RESOURCE_MY_PROFILE,
+ }
+
+ method_permission_name = {
+ 'add': 'create',
+ 'userinfo': 'read',
+ 'download': 'read',
+ 'show': 'read',
+ 'list': 'read',
+ 'edit': 'edit',
+ 'resetmypassword': 'read',
+ 'resetpasswords': 'read',
+ 'userinfoedit': 'edit',
+ 'delete': 'delete',
+ }
+
+ base_permissions = [
+ permissions.ACTION_CAN_CREATE,
+ permissions.ACTION_CAN_READ,
+ permissions.ACTION_CAN_EDIT,
+ permissions.ACTION_CAN_DELETE,
+ ]
+
+ @property
+ def class_permission_name(self):
+ """Returns appropriate permission name depending on request method name."""
+ if request:
+ action_name = request.view_args.get("name")
+ _, method_name = request.url_rule.endpoint.split(".")
+ if method_name == 'action' and action_name:
+ return self.class_permission_name_mapping.get(action_name, self._class_permission_name)
+ if method_name:
+ return self.class_permission_name_mapping.get(method_name, self._class_permission_name)
+
+ return self._class_permission_name
+
+ @class_permission_name.setter
+ def class_permission_name(self, name):
+ self._class_permission_name = name
+
+
+class CustomUserInfoEditView(UserInfoEditView):
+ """Customize permission names for FAB's builtin UserInfoEditView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PROFILE
+ route_base = "/userinfoeditview"
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomUserStatsChartView(UserStatsChartView):
+ """Customize permission names for FAB's builtin UserStatsChartView."""
+
+ class_permission_name = permissions.RESOURCE_USER_STATS_CHART
+ route_base = "/userstatschartview"
+ method_permission_name = {
+ 'chart': 'read',
+ }
+ base_permissions = [permissions.ACTION_CAN_READ]
+
+
+class CustomUserLDAPModelView(UserLDAPModelView):
+ """Customize permission names for FAB's builtin UserLDAPModelView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PROFILE
Review comment:
`userstatschartview` applies to all users, whereas `RESOURCE_MY_PROFILE` only applies to the logged in user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-818125285
The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest master at your convenience, or amend the last commit of the PR, and push it with --force-with-lease.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ephraimbuddy commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
ephraimbuddy commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r600989702
##########
File path: airflow/migrations/versions/a13f7613ad25_resource_based_permissions_for_default_.py
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Resource based permissions for default FAB views.
+
+Revision ID: a13f7613ad25
+Revises: 2e42bb497a22
+Create Date: 2021-03-20 21:23:05.793378
+
+"""
+import logging
+
+from airflow.security import permissions
+from airflow.www.app import create_app
+
+# revision identifiers, used by Alembic.
+revision = 'a13f7613ad25'
+down_revision = '2e42bb497a22'
+branch_labels = None
+depends_on = None
+
+
+mapping = {
+ ("PermissionModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
+ ],
+ ("PermissionViewModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION_VIEW),
Review comment:
Ah...Got
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
ashb commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-811457323
FYI: This PR and https://github.com/apache/airflow/pull/14840 "fight"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
ashb commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r602457448
##########
File path: airflow/migrations/versions/a13f7613ad25_resource_based_permissions_for_default_.py
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Resource based permissions for default FAB views.
+
+Revision ID: a13f7613ad25
+Revises: 2e42bb497a22
+Create Date: 2021-03-20 21:23:05.793378
+
+"""
+import logging
+
+from airflow.security import permissions
+from airflow.www.app import create_app
+
+# revision identifiers, used by Alembic.
+revision = 'a13f7613ad25'
+down_revision = '2e42bb497a22'
+branch_labels = None
+depends_on = None
+
+
+mapping = {
+ ("PermissionModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
+ ],
+ ("PermissionViewModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION_VIEW),
+ ],
+ ("ResetMyPasswordView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("ResetMyPasswordView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("ResetPasswordView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
+ ],
+ ("ResetPasswordView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_PASSWORD),
+ ],
+ ("RoleModelView", "can_delete"): [
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_download"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_show"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_edit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_add"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
+ ],
+ ("RoleModelView", "can_copyrole"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
+ ],
+ ("ViewMenuModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_add"): [
+ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserDBModelView", "can_download"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_show"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "can_edit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserDBModelView", "resetmypassword"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
+ ],
+ ("UserDBModelView", "resetpasswords"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
+ ],
+ ("UserDBModelView", "userinfoedit"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserDBModelView", "can_delete"): [
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_VIEW_MENU),
+ ],
+ ("UserInfoEditView", "can_this_form_get"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserInfoEditView", "can_this_form_post"): [
+ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserStatsChartView", "can_chart"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_USER_STATS_CHART),
+ ],
+ ("UserLDAPModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserOAuthModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserOIDModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("UserRemoteUserModelView", "can_userinfo"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
+ ],
+ ("DagRunModelView", "can_clear"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
+ (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_TASK_INSTANCE),
+ ],
+}
+
+
+def remap_permissions():
+ """Apply Map Airflow view permissions."""
+ appbuilder = create_app(config={'FAB_UPDATE_PERMS': False}).appbuilder
Review comment:
Should we also set `conf.getboolean('webserver', 'UPDATE_FAB_PERMS'):` somehow?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-806229951
[The Workflow run](https://github.com/apache/airflow/actions/runs/684652569) is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ephraimbuddy commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
ephraimbuddy commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r600988349
##########
File path: airflow/migrations/versions/a13f7613ad25_resource_based_permissions_for_default_.py
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Resource based permissions for default FAB views.
+
+Revision ID: a13f7613ad25
+Revises: 2e42bb497a22
+Create Date: 2021-03-20 21:23:05.793378
+
+"""
+import logging
+
+from airflow.security import permissions
+from airflow.www.app import create_app
+
+# revision identifiers, used by Alembic.
+revision = 'a13f7613ad25'
+down_revision = '2e42bb497a22'
+branch_labels = None
+depends_on = None
+
+
+mapping = {
+ ("PermissionModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
+ ],
+ ("PermissionViewModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION_VIEW),
Review comment:
Wondering if there's a mistake here on using RESOURCE_PERMISSION_VIEW?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
jhtimmins commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r611729062
##########
File path: airflow/www/views.py
##########
@@ -3806,3 +3822,204 @@ def autocomplete(self, session=None):
payload = [row[0] for row in dag_ids_query.union(owners_query).limit(10).all()]
return wwwutils.json_response(payload)
+
+
+class CustomPermissionModelView(PermissionModelView):
+ """Customize permission names for FAB's builtin PermissionModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomPermissionViewModelView(PermissionViewModelView):
+ """Customize permission names for FAB's builtin PermissionViewModelView."""
+
+ class_permission_name = permissions.RESOURCE_PERMISSION_VIEW
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomResetMyPasswordView(ResetMyPasswordView):
+ """Customize permission names for FAB's builtin ResetMyPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_MY_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomResetPasswordView(ResetPasswordView):
+ """Customize permission names for FAB's builtin ResetPasswordView."""
+
+ class_permission_name = permissions.RESOURCE_PASSWORD
+ method_permission_name = {
+ 'this_form_get': 'read',
+ 'this_form_post': 'edit',
+ }
+
+ base_permissions = [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
+
+
+class CustomRoleModelView(RoleModelView):
+ """Customize permission names for FAB's builtin RoleModelView."""
+
+ class_permission_name = permissions.RESOURCE_ROLE
+ method_permission_name = {
+ 'delete': 'delete',
+ 'download': 'read',
+ 'show': 'read',
+ 'list': 'read',
+ 'edit': 'edit',
+ 'add': 'create',
+ 'copy_role': 'create',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_CREATE,
+ permissions.ACTION_CAN_READ,
+ permissions.ACTION_CAN_EDIT,
+ permissions.ACTION_CAN_DELETE,
+ ]
+
+
+class CustomViewMenuModelView(ViewMenuModelView):
+ """Customize permission names for FAB's builtin ViewMenuModelView."""
+
+ class_permission_name = permissions.RESOURCE_VIEW_MENU
+ method_permission_name = {
+ 'list': 'read',
+ }
+ base_permissions = [
+ permissions.ACTION_CAN_READ,
+ ]
+
+
+class CustomUserDBModelView(UserDBModelView):
+ """Customize permission names for FAB's builtin UserDBModelView."""
+
+ _class_permission_name = permissions.RESOURCE_USER
+
+ class_permission_name_mapping = {
+ 'resetmypassword': permissions.RESOURCE_MY_PASSWORD,
+ 'resetpasswords': permissions.RESOURCE_PASSWORD,
Review comment:
`resetmypassword` just lets a user update their own password.
`resetpasswords` lets them update any user's password, and should be limited to Admin-level users.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-818040805
[The Workflow run](https://github.com/apache/airflow/actions/runs/742223803) is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jhtimmins edited a comment on pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
jhtimmins edited a comment on pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#issuecomment-811519584
@ashb This updates the permission model, so #14840 will need to integrate these changes, which I'm happy to help with.
Can you and @kaxil take a look?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ephraimbuddy commented on a change in pull request #14946: Standardize default fab perms
Posted by GitBox <gi...@apache.org>.
ephraimbuddy commented on a change in pull request #14946:
URL: https://github.com/apache/airflow/pull/14946#discussion_r600989702
##########
File path: airflow/migrations/versions/a13f7613ad25_resource_based_permissions_for_default_.py
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Resource based permissions for default FAB views.
+
+Revision ID: a13f7613ad25
+Revises: 2e42bb497a22
+Create Date: 2021-03-20 21:23:05.793378
+
+"""
+import logging
+
+from airflow.security import permissions
+from airflow.www.app import create_app
+
+# revision identifiers, used by Alembic.
+revision = 'a13f7613ad25'
+down_revision = '2e42bb497a22'
+branch_labels = None
+depends_on = None
+
+
+mapping = {
+ ("PermissionModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
+ ],
+ ("PermissionViewModelView", "can_list"): [
+ (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION_VIEW),
Review comment:
Ah...Got it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org