From 8d5daa0dd7ddd7c470474c820a94acd39bb08595 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Fri, 20 Sep 2024 17:15:52 -0400 Subject: [PATCH 1/8] Simple auth manager documentation --- .../auth-manager/index.rst | 5 +- .../auth-manager/index.rst | 4 + .../core-concepts/auth-manager.rst | 179 ------------------ .../core-concepts/auth-manager/index.rst | 6 +- .../core-concepts/auth-manager/simple.rst | 4 + 5 files changed, 16 insertions(+), 182 deletions(-) delete mode 100644 docs/apache-airflow/core-concepts/auth-manager.rst diff --git a/docs/apache-airflow-providers-amazon/auth-manager/index.rst b/docs/apache-airflow-providers-amazon/auth-manager/index.rst index 7d9b226037cf..d83c69ba09e9 100644 --- a/docs/apache-airflow-providers-amazon/auth-manager/index.rst +++ b/docs/apache-airflow-providers-amazon/auth-manager/index.rst @@ -22,8 +22,9 @@ AWS auth manager .. warning:: The AWS auth manager is alpha/experimental at the moment and may be subject to change without warning. -Before reading this, you should be familiar with the concept of auth manager. -See :doc:`apache-airflow:core-concepts/auth-manager`. +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. The AWS auth manager is an auth manager powered by AWS. It uses two services: diff --git a/docs/apache-airflow-providers-fab/auth-manager/index.rst b/docs/apache-airflow-providers-fab/auth-manager/index.rst index 8d19ff56498d..d8d1a06adae5 100644 --- a/docs/apache-airflow-providers-fab/auth-manager/index.rst +++ b/docs/apache-airflow-providers-fab/auth-manager/index.rst @@ -18,6 +18,10 @@ Flask AppBuilder (FAB) auth manager =================================== +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. + FAB auth (for authentication/authorization) manager is the auth manager that comes by default with Airflow. This auth manager defines the user authentication and user authorization by default in Airflow. The backend used to store all entities used by the FAB auth manager is the Airflow database: :doc:`apache-airflow:database-erd-ref`. diff --git a/docs/apache-airflow/core-concepts/auth-manager.rst b/docs/apache-airflow/core-concepts/auth-manager.rst deleted file mode 100644 index 521264fd78ba..000000000000 --- a/docs/apache-airflow/core-concepts/auth-manager.rst +++ /dev/null @@ -1,179 +0,0 @@ - .. Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - .. http://www.apache.org/licenses/LICENSE-2.0 - - .. Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - -Auth manager -============ - -Auth (for authentication/authorization) manager is the component in Airflow to handle user authentication and user authorization. They have a common -API and are "pluggable", meaning you can swap auth managers based on your installation needs. - -.. image:: ../img/diagram_auth_manager_airflow_architecture.png - -Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the -``[core]`` section of :doc:`the configuration file `. - -.. note:: - For more information on Airflow's configuration, see :doc:`/howto/set-config`. - -If you want to check which auth manager is currently set, you can use the -``airflow config get-value core auth_manager`` command: - -.. code-block:: bash - - $ airflow config get-value core auth_manager - airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager - - -Why pluggable auth managers? ----------------------------- - -Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be -used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) -users does not need the same user management as an environment used by thousand of them. - -This is why the whole user management (user authentication and user authorization) is packaged in one component -called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. - -By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager/index`. - -.. note:: - Switching to a different auth manager is a heavy operation and should be considered as such. It will - impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if - they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth - manager to the next. - -Writing your own auth manager ------------------------------ - -All Airflow auth managers implement a common interface so that they are pluggable and any auth manager has access -to all abilities and integrations within Airflow. This interface is used across Airflow to perform all user -authentication and user authorization related operation. - -The public interface is :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. -You can look through the code for the most detailed and up to date interface, but some important highlights are -outlined below. - -.. note:: - For more information about Airflow's public interface see :doc:`/public-airflow-interface`. - -Some reasons you may want to write a custom auth manager include: - -* An auth manager does not exist which fits your specific use case, such as a specific tool or service for user management. -* You'd like to use an auth manager that leverages an identity provider from your preferred cloud provider. -* You have a private user management tool that is only available to you or your organization. - - -Authentication related BaseAuthManager methods -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* ``is_logged_in``: Return whether the user is signed-in. -* ``get_user``: Return the signed-in user. -* ``get_url_login``: Return the URL the user is redirected to for signing in. -* ``get_url_logout``: Return the URL the user is redirected to for signing out. - -Authorization related BaseAuthManager methods -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Most of authorization methods in :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` look the same. -Let's go over the different parameters used by most of these methods. - -* ``method``: Use HTTP method naming to determine the type of action being done on a specific resource. - - * ``GET``: Can the user read the resource? - * ``POST``: Can the user create a resource? - * ``PUT``: Can the user modify the resource? - * ``DELETE``: Can the user delete the resource? - * ``MENU``: Can the user see the resource in the menu? - -* ``details``: Optional details about the resource being accessed. -* ``user``: The user trying to access the resource. - -These authorization methods are: - -* ``is_authorized_configuration``: Return whether the user is authorized to access Airflow configuration. Some details about the configuration can be provided (e.g. the config section). -* ``is_authorized_connection``: Return whether the user is authorized to access Airflow connections. Some details about the connection can be provided (e.g. the connection ID). -* ``is_authorized_dag``: Return whether the user is authorized to access a DAG. Some details about the DAG can be provided (e.g. the DAG ID). - Also, ``is_authorized_dag`` is called for any entity related to DAGs (e.g. task instances, dag runs, ...). This information is passed in ``access_entity``. - Example: ``auth_manager.is_authorized_dag(method="GET", access_entity=DagAccessEntity.Run, details=DagDetails(id="dag-1"))`` asks - whether the user has permission to read the Dag runs of the dag "dag-1". -* ``is_authorized_dataset``: Return whether the user is authorized to access Airflow datasets. Some details about the dataset can be provided (e.g. the dataset uri). -* ``is_authorized_pool``: Return whether the user is authorized to access Airflow pools. Some details about the pool can be provided (e.g. the pool name). -* ``is_authorized_variable``: Return whether the user is authorized to access Airflow variables. Some details about the variable can be provided (e.g. the variable key). -* ``is_authorized_view``: Return whether the user is authorized to access a specific view in Airflow. The view is specified through ``access_view`` (e.g. ``AccessView.CLUSTER_ACTIVITY``). -* ``is_authorized_custom_view``: Return whether the user is authorized to access a specific view not defined in Airflow. This view can be provided by the auth manager itself or a plugin defined by the user. - -Optional methods recommended to override for optimization -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The following methods aren't required to override to have a functional Airflow auth manager. However, it is recommended to override these to make your auth manager faster (and potentially less costly): - -* ``batch_is_authorized_dag``: Batch version of ``is_authorized_dag``. If not overridden, it will call ``is_authorized_dag`` for every single item. -* ``batch_is_authorized_connection``: Batch version of ``is_authorized_connection``. If not overridden, it will call ``is_authorized_connection`` for every single item. -* ``batch_is_authorized_pool``: Batch version of ``is_authorized_pool``. If not overridden, it will call ``is_authorized_pool`` for every single item. -* ``batch_is_authorized_variable``: Batch version of ``is_authorized_variable``. If not overridden, it will call ``is_authorized_variable`` for every single item. -* ``get_permitted_dag_ids``: Return the list of DAG IDs the user has access to. If not overridden, it will call ``is_authorized_dag`` for every single DAG available in the environment. -* ``filter_permitted_menu_items``: Return the menu items the user has access to. If not overridden, it will call ``has_access`` in :class:`~airflow.www.security_manager.AirflowSecurityManagerV2` for every single menu item. - -CLI -^^^ - -Auth managers may vend CLI commands which will be included in the ``airflow`` command line tool by implementing the ``get_cli_commands`` method. The commands can be used to setup required resources. Commands are only vended for the currently configured auth manager. A pseudo-code example of implementing CLI command vending from an auth manager can be seen below: - -.. code-block:: python - - @staticmethod - def get_cli_commands() -> list[CLICommand]: - sub_commands = [ - ActionCommand( - name="command_name", - help="Description of what this specific command does", - func=lazy_load_command("path.to.python.function.for.command"), - args=(), - ), - ] - - return [ - GroupCommand( - name="my_cool_auth_manager", - help="Description of what this group of commands do", - subcommands=sub_commands, - ), - ] - -.. note:: - Currently there are no strict rules in place for the Airflow command namespace. It is up to developers to use names for their CLI commands that are sufficiently unique so as to not cause conflicts with other Airflow components. - -.. note:: - When creating a new auth manager, or updating any existing auth manager, be sure to not import or execute any expensive operations/code at the module level. Auth manager classes are imported in several places and if they are slow to import this will negatively impact the performance of your Airflow environment, especially for CLI commands. - -Rest API -^^^^^^^^ - -Auth managers may vend Rest API endpoints which will be included in the :doc:`/stable-rest-api-ref` by implementing the ``get_api_endpoints`` method. The endpoints can be used to manage resources such as users, groups, roles (if any) handled by your auth manager. Endpoints are only vended for the currently configured auth manager. - -Next Steps -^^^^^^^^^^ - -Once you have created a new auth manager class implementing the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` interface, you can configure Airflow to use it by setting the ``core.auth_manager`` configuration value to the module path of your auth manager: - -.. code-block:: ini - - [core] - auth_manager = my_company.auth_managers.MyCustomAuthManager - -.. note:: - For more information on Airflow's configuration, see :doc:`/howto/set-config` and for more information on managing Python modules in Airflow see :doc:`/administration-and-deployment/modules_management`. diff --git a/docs/apache-airflow/core-concepts/auth-manager/index.rst b/docs/apache-airflow/core-concepts/auth-manager/index.rst index cf64a8e96000..c802b3f7d14d 100644 --- a/docs/apache-airflow/core-concepts/auth-manager/index.rst +++ b/docs/apache-airflow/core-concepts/auth-manager/index.rst @@ -21,7 +21,11 @@ Auth manager Auth (for authentication/authorization) manager is the component in Airflow to handle user authentication and user authorization. They have a common API and are "pluggable", meaning you can swap auth managers based on your installation needs. +<<<<<<< HEAD .. image:: ../../img/diagram_auth_manager_airflow_architecture.png +======= +.. image:: ../img/diagram_auth_manager_airflow_architecture.png +>>>>>>> 7a07034b61 (Simple auth manager documentation) Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the ``[core]`` section of :doc:`the configuration file `. @@ -49,7 +53,7 @@ Provided by Airflow: simple -Provided by providers +Provided by providers: * :doc:`apache-airflow-providers-fab:auth-manager/index` * :doc:`apache-airflow-providers-amazon:auth-manager/index` diff --git a/docs/apache-airflow/core-concepts/auth-manager/simple.rst b/docs/apache-airflow/core-concepts/auth-manager/simple.rst index bef2e5032f0d..3c4c1a314164 100644 --- a/docs/apache-airflow/core-concepts/auth-manager/simple.rst +++ b/docs/apache-airflow/core-concepts/auth-manager/simple.rst @@ -48,7 +48,11 @@ Each user needs two pieces of information: * **username**. The user's username * **role**. The role associated to the user. For more information about these roles, :ref:`see next section `. +<<<<<<< HEAD The password is auto-generated for each user and printed out in the webserver logs. +======= +The password is auto-generated for each users and printed out in the webserver logs. +>>>>>>> 7a07034b61 (Simple auth manager documentation) When generated, these passwords are also saved in your environment, therefore they will not change if you stop or restart your environment. .. _roles-permissions: From 4fb52df705ddf0cd69c07654953d8db9acf14957 Mon Sep 17 00:00:00 2001 From: Vincent <97131062+vincbeck@users.noreply.github.com> Date: Mon, 23 Sep 2024 11:01:18 -0400 Subject: [PATCH 2/8] Update docs/apache-airflow/core-concepts/auth-manager/simple.rst Co-authored-by: Niko Oliveira --- docs/apache-airflow/core-concepts/auth-manager/simple.rst | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/apache-airflow/core-concepts/auth-manager/simple.rst b/docs/apache-airflow/core-concepts/auth-manager/simple.rst index 3c4c1a314164..bef2e5032f0d 100644 --- a/docs/apache-airflow/core-concepts/auth-manager/simple.rst +++ b/docs/apache-airflow/core-concepts/auth-manager/simple.rst @@ -48,11 +48,7 @@ Each user needs two pieces of information: * **username**. The user's username * **role**. The role associated to the user. For more information about these roles, :ref:`see next section `. -<<<<<<< HEAD The password is auto-generated for each user and printed out in the webserver logs. -======= -The password is auto-generated for each users and printed out in the webserver logs. ->>>>>>> 7a07034b61 (Simple auth manager documentation) When generated, these passwords are also saved in your environment, therefore they will not change if you stop or restart your environment. .. _roles-permissions: From 9d39d34fcf9566aef5d7a0b87a544a221fee26ef Mon Sep 17 00:00:00 2001 From: vincbeck Date: Mon, 23 Sep 2024 11:25:49 -0400 Subject: [PATCH 3/8] Fix docs --- docs/apache-airflow/core-concepts/auth-manager/index.rst | 4 ++++ docs/apache-airflow/core-concepts/index.rst | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/apache-airflow/core-concepts/auth-manager/index.rst b/docs/apache-airflow/core-concepts/auth-manager/index.rst index c802b3f7d14d..e7b7fa764fea 100644 --- a/docs/apache-airflow/core-concepts/auth-manager/index.rst +++ b/docs/apache-airflow/core-concepts/auth-manager/index.rst @@ -21,11 +21,15 @@ Auth manager Auth (for authentication/authorization) manager is the component in Airflow to handle user authentication and user authorization. They have a common API and are "pluggable", meaning you can swap auth managers based on your installation needs. +<<<<<<< HEAD <<<<<<< HEAD .. image:: ../../img/diagram_auth_manager_airflow_architecture.png ======= .. image:: ../img/diagram_auth_manager_airflow_architecture.png >>>>>>> 7a07034b61 (Simple auth manager documentation) +======= +.. image:: ../../img/diagram_auth_manager_airflow_architecture.png +>>>>>>> b741090a8f (Fix docs) Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the ``[core]`` section of :doc:`the configuration file `. diff --git a/docs/apache-airflow/core-concepts/index.rst b/docs/apache-airflow/core-concepts/index.rst index 739111d4be09..0fded6ba495f 100644 --- a/docs/apache-airflow/core-concepts/index.rst +++ b/docs/apache-airflow/core-concepts/index.rst @@ -40,7 +40,6 @@ Here you can find detailed documentation about each one of the core concepts of sensors taskflow executor/index - auth-manager auth-manager/index objectstorage From b61c07ee2a7a82c7f8936efa6718634dea294e20 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Mon, 23 Sep 2024 13:17:44 -0400 Subject: [PATCH 4/8] Undo changes in providers --- .../auth-manager/index.rst | 5 +- .../auth-manager/index.rst | 4 - .../core-concepts/auth-manager.rst | 179 ++++++++++++++++++ 3 files changed, 181 insertions(+), 7 deletions(-) create mode 100644 docs/apache-airflow/core-concepts/auth-manager.rst diff --git a/docs/apache-airflow-providers-amazon/auth-manager/index.rst b/docs/apache-airflow-providers-amazon/auth-manager/index.rst index d83c69ba09e9..7d9b226037cf 100644 --- a/docs/apache-airflow-providers-amazon/auth-manager/index.rst +++ b/docs/apache-airflow-providers-amazon/auth-manager/index.rst @@ -22,9 +22,8 @@ AWS auth manager .. warning:: The AWS auth manager is alpha/experimental at the moment and may be subject to change without warning. -.. note:: - Before reading this, you should be familiar with the concept of auth manager. - See :doc:`apache-airflow:core-concepts/auth-manager/index`. +Before reading this, you should be familiar with the concept of auth manager. +See :doc:`apache-airflow:core-concepts/auth-manager`. The AWS auth manager is an auth manager powered by AWS. It uses two services: diff --git a/docs/apache-airflow-providers-fab/auth-manager/index.rst b/docs/apache-airflow-providers-fab/auth-manager/index.rst index d8d1a06adae5..8d19ff56498d 100644 --- a/docs/apache-airflow-providers-fab/auth-manager/index.rst +++ b/docs/apache-airflow-providers-fab/auth-manager/index.rst @@ -18,10 +18,6 @@ Flask AppBuilder (FAB) auth manager =================================== -.. note:: - Before reading this, you should be familiar with the concept of auth manager. - See :doc:`apache-airflow:core-concepts/auth-manager/index`. - FAB auth (for authentication/authorization) manager is the auth manager that comes by default with Airflow. This auth manager defines the user authentication and user authorization by default in Airflow. The backend used to store all entities used by the FAB auth manager is the Airflow database: :doc:`apache-airflow:database-erd-ref`. diff --git a/docs/apache-airflow/core-concepts/auth-manager.rst b/docs/apache-airflow/core-concepts/auth-manager.rst new file mode 100644 index 000000000000..521264fd78ba --- /dev/null +++ b/docs/apache-airflow/core-concepts/auth-manager.rst @@ -0,0 +1,179 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth (for authentication/authorization) manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +.. image:: ../img/diagram_auth_manager_airflow_architecture.png + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file `. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why pluggable auth managers? +---------------------------- + +Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be +used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) +users does not need the same user management as an environment used by thousand of them. + +This is why the whole user management (user authentication and user authorization) is packaged in one component +called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. + +By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager/index`. + +.. note:: + Switching to a different auth manager is a heavy operation and should be considered as such. It will + impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if + they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth + manager to the next. + +Writing your own auth manager +----------------------------- + +All Airflow auth managers implement a common interface so that they are pluggable and any auth manager has access +to all abilities and integrations within Airflow. This interface is used across Airflow to perform all user +authentication and user authorization related operation. + +The public interface is :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. +You can look through the code for the most detailed and up to date interface, but some important highlights are +outlined below. + +.. note:: + For more information about Airflow's public interface see :doc:`/public-airflow-interface`. + +Some reasons you may want to write a custom auth manager include: + +* An auth manager does not exist which fits your specific use case, such as a specific tool or service for user management. +* You'd like to use an auth manager that leverages an identity provider from your preferred cloud provider. +* You have a private user management tool that is only available to you or your organization. + + +Authentication related BaseAuthManager methods +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* ``is_logged_in``: Return whether the user is signed-in. +* ``get_user``: Return the signed-in user. +* ``get_url_login``: Return the URL the user is redirected to for signing in. +* ``get_url_logout``: Return the URL the user is redirected to for signing out. + +Authorization related BaseAuthManager methods +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Most of authorization methods in :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` look the same. +Let's go over the different parameters used by most of these methods. + +* ``method``: Use HTTP method naming to determine the type of action being done on a specific resource. + + * ``GET``: Can the user read the resource? + * ``POST``: Can the user create a resource? + * ``PUT``: Can the user modify the resource? + * ``DELETE``: Can the user delete the resource? + * ``MENU``: Can the user see the resource in the menu? + +* ``details``: Optional details about the resource being accessed. +* ``user``: The user trying to access the resource. + +These authorization methods are: + +* ``is_authorized_configuration``: Return whether the user is authorized to access Airflow configuration. Some details about the configuration can be provided (e.g. the config section). +* ``is_authorized_connection``: Return whether the user is authorized to access Airflow connections. Some details about the connection can be provided (e.g. the connection ID). +* ``is_authorized_dag``: Return whether the user is authorized to access a DAG. Some details about the DAG can be provided (e.g. the DAG ID). + Also, ``is_authorized_dag`` is called for any entity related to DAGs (e.g. task instances, dag runs, ...). This information is passed in ``access_entity``. + Example: ``auth_manager.is_authorized_dag(method="GET", access_entity=DagAccessEntity.Run, details=DagDetails(id="dag-1"))`` asks + whether the user has permission to read the Dag runs of the dag "dag-1". +* ``is_authorized_dataset``: Return whether the user is authorized to access Airflow datasets. Some details about the dataset can be provided (e.g. the dataset uri). +* ``is_authorized_pool``: Return whether the user is authorized to access Airflow pools. Some details about the pool can be provided (e.g. the pool name). +* ``is_authorized_variable``: Return whether the user is authorized to access Airflow variables. Some details about the variable can be provided (e.g. the variable key). +* ``is_authorized_view``: Return whether the user is authorized to access a specific view in Airflow. The view is specified through ``access_view`` (e.g. ``AccessView.CLUSTER_ACTIVITY``). +* ``is_authorized_custom_view``: Return whether the user is authorized to access a specific view not defined in Airflow. This view can be provided by the auth manager itself or a plugin defined by the user. + +Optional methods recommended to override for optimization +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The following methods aren't required to override to have a functional Airflow auth manager. However, it is recommended to override these to make your auth manager faster (and potentially less costly): + +* ``batch_is_authorized_dag``: Batch version of ``is_authorized_dag``. If not overridden, it will call ``is_authorized_dag`` for every single item. +* ``batch_is_authorized_connection``: Batch version of ``is_authorized_connection``. If not overridden, it will call ``is_authorized_connection`` for every single item. +* ``batch_is_authorized_pool``: Batch version of ``is_authorized_pool``. If not overridden, it will call ``is_authorized_pool`` for every single item. +* ``batch_is_authorized_variable``: Batch version of ``is_authorized_variable``. If not overridden, it will call ``is_authorized_variable`` for every single item. +* ``get_permitted_dag_ids``: Return the list of DAG IDs the user has access to. If not overridden, it will call ``is_authorized_dag`` for every single DAG available in the environment. +* ``filter_permitted_menu_items``: Return the menu items the user has access to. If not overridden, it will call ``has_access`` in :class:`~airflow.www.security_manager.AirflowSecurityManagerV2` for every single menu item. + +CLI +^^^ + +Auth managers may vend CLI commands which will be included in the ``airflow`` command line tool by implementing the ``get_cli_commands`` method. The commands can be used to setup required resources. Commands are only vended for the currently configured auth manager. A pseudo-code example of implementing CLI command vending from an auth manager can be seen below: + +.. code-block:: python + + @staticmethod + def get_cli_commands() -> list[CLICommand]: + sub_commands = [ + ActionCommand( + name="command_name", + help="Description of what this specific command does", + func=lazy_load_command("path.to.python.function.for.command"), + args=(), + ), + ] + + return [ + GroupCommand( + name="my_cool_auth_manager", + help="Description of what this group of commands do", + subcommands=sub_commands, + ), + ] + +.. note:: + Currently there are no strict rules in place for the Airflow command namespace. It is up to developers to use names for their CLI commands that are sufficiently unique so as to not cause conflicts with other Airflow components. + +.. note:: + When creating a new auth manager, or updating any existing auth manager, be sure to not import or execute any expensive operations/code at the module level. Auth manager classes are imported in several places and if they are slow to import this will negatively impact the performance of your Airflow environment, especially for CLI commands. + +Rest API +^^^^^^^^ + +Auth managers may vend Rest API endpoints which will be included in the :doc:`/stable-rest-api-ref` by implementing the ``get_api_endpoints`` method. The endpoints can be used to manage resources such as users, groups, roles (if any) handled by your auth manager. Endpoints are only vended for the currently configured auth manager. + +Next Steps +^^^^^^^^^^ + +Once you have created a new auth manager class implementing the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` interface, you can configure Airflow to use it by setting the ``core.auth_manager`` configuration value to the module path of your auth manager: + +.. code-block:: ini + + [core] + auth_manager = my_company.auth_managers.MyCustomAuthManager + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config` and for more information on managing Python modules in Airflow see :doc:`/administration-and-deployment/modules_management`. From 2bfcd4f6ab095217df88fad6500ce68aa4bb5dc1 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Mon, 23 Sep 2024 13:30:49 -0400 Subject: [PATCH 5/8] Add deprecated page to toctree --- docs/apache-airflow-providers-amazon/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/apache-airflow-providers-amazon/index.rst b/docs/apache-airflow-providers-amazon/index.rst index c58847dcd887..4ffbfb005e45 100644 --- a/docs/apache-airflow-providers-amazon/index.rst +++ b/docs/apache-airflow-providers-amazon/index.rst @@ -42,6 +42,7 @@ Logging for Tasks Configuration Executors + Auth manager Auth manager CLI From e5acc252eba50afa90d23e22092a50688d23edcd Mon Sep 17 00:00:00 2001 From: vincbeck Date: Mon, 23 Sep 2024 13:50:49 -0400 Subject: [PATCH 6/8] Fix --- docs/apache-airflow-providers-amazon/index.rst | 1 - docs/apache-airflow/core-concepts/index.rst | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/apache-airflow-providers-amazon/index.rst b/docs/apache-airflow-providers-amazon/index.rst index 4ffbfb005e45..c58847dcd887 100644 --- a/docs/apache-airflow-providers-amazon/index.rst +++ b/docs/apache-airflow-providers-amazon/index.rst @@ -42,7 +42,6 @@ Logging for Tasks Configuration Executors - Auth manager Auth manager CLI diff --git a/docs/apache-airflow/core-concepts/index.rst b/docs/apache-airflow/core-concepts/index.rst index 0fded6ba495f..739111d4be09 100644 --- a/docs/apache-airflow/core-concepts/index.rst +++ b/docs/apache-airflow/core-concepts/index.rst @@ -40,6 +40,7 @@ Here you can find detailed documentation about each one of the core concepts of sensors taskflow executor/index + auth-manager auth-manager/index objectstorage From abd2481ddcc5822e0e6bf1eeb636ce302bb7b242 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Mon, 23 Sep 2024 15:45:53 -0400 Subject: [PATCH 7/8] Simple auth manager documentation - Providers --- .../auth-manager/index.rst | 5 +- .../auth-manager/index.rst | 4 + .../core-concepts/auth-manager.rst | 179 ------------------ .../core-concepts/auth-manager/index.rst | 8 - docs/apache-airflow/core-concepts/index.rst | 1 - 5 files changed, 7 insertions(+), 190 deletions(-) delete mode 100644 docs/apache-airflow/core-concepts/auth-manager.rst diff --git a/docs/apache-airflow-providers-amazon/auth-manager/index.rst b/docs/apache-airflow-providers-amazon/auth-manager/index.rst index 7d9b226037cf..d83c69ba09e9 100644 --- a/docs/apache-airflow-providers-amazon/auth-manager/index.rst +++ b/docs/apache-airflow-providers-amazon/auth-manager/index.rst @@ -22,8 +22,9 @@ AWS auth manager .. warning:: The AWS auth manager is alpha/experimental at the moment and may be subject to change without warning. -Before reading this, you should be familiar with the concept of auth manager. -See :doc:`apache-airflow:core-concepts/auth-manager`. +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. The AWS auth manager is an auth manager powered by AWS. It uses two services: diff --git a/docs/apache-airflow-providers-fab/auth-manager/index.rst b/docs/apache-airflow-providers-fab/auth-manager/index.rst index 8d19ff56498d..d8d1a06adae5 100644 --- a/docs/apache-airflow-providers-fab/auth-manager/index.rst +++ b/docs/apache-airflow-providers-fab/auth-manager/index.rst @@ -18,6 +18,10 @@ Flask AppBuilder (FAB) auth manager =================================== +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. + FAB auth (for authentication/authorization) manager is the auth manager that comes by default with Airflow. This auth manager defines the user authentication and user authorization by default in Airflow. The backend used to store all entities used by the FAB auth manager is the Airflow database: :doc:`apache-airflow:database-erd-ref`. diff --git a/docs/apache-airflow/core-concepts/auth-manager.rst b/docs/apache-airflow/core-concepts/auth-manager.rst deleted file mode 100644 index 521264fd78ba..000000000000 --- a/docs/apache-airflow/core-concepts/auth-manager.rst +++ /dev/null @@ -1,179 +0,0 @@ - .. Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - .. http://www.apache.org/licenses/LICENSE-2.0 - - .. Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - -Auth manager -============ - -Auth (for authentication/authorization) manager is the component in Airflow to handle user authentication and user authorization. They have a common -API and are "pluggable", meaning you can swap auth managers based on your installation needs. - -.. image:: ../img/diagram_auth_manager_airflow_architecture.png - -Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the -``[core]`` section of :doc:`the configuration file `. - -.. note:: - For more information on Airflow's configuration, see :doc:`/howto/set-config`. - -If you want to check which auth manager is currently set, you can use the -``airflow config get-value core auth_manager`` command: - -.. code-block:: bash - - $ airflow config get-value core auth_manager - airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager - - -Why pluggable auth managers? ----------------------------- - -Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be -used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) -users does not need the same user management as an environment used by thousand of them. - -This is why the whole user management (user authentication and user authorization) is packaged in one component -called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. - -By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager/index`. - -.. note:: - Switching to a different auth manager is a heavy operation and should be considered as such. It will - impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if - they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth - manager to the next. - -Writing your own auth manager ------------------------------ - -All Airflow auth managers implement a common interface so that they are pluggable and any auth manager has access -to all abilities and integrations within Airflow. This interface is used across Airflow to perform all user -authentication and user authorization related operation. - -The public interface is :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. -You can look through the code for the most detailed and up to date interface, but some important highlights are -outlined below. - -.. note:: - For more information about Airflow's public interface see :doc:`/public-airflow-interface`. - -Some reasons you may want to write a custom auth manager include: - -* An auth manager does not exist which fits your specific use case, such as a specific tool or service for user management. -* You'd like to use an auth manager that leverages an identity provider from your preferred cloud provider. -* You have a private user management tool that is only available to you or your organization. - - -Authentication related BaseAuthManager methods -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* ``is_logged_in``: Return whether the user is signed-in. -* ``get_user``: Return the signed-in user. -* ``get_url_login``: Return the URL the user is redirected to for signing in. -* ``get_url_logout``: Return the URL the user is redirected to for signing out. - -Authorization related BaseAuthManager methods -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Most of authorization methods in :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` look the same. -Let's go over the different parameters used by most of these methods. - -* ``method``: Use HTTP method naming to determine the type of action being done on a specific resource. - - * ``GET``: Can the user read the resource? - * ``POST``: Can the user create a resource? - * ``PUT``: Can the user modify the resource? - * ``DELETE``: Can the user delete the resource? - * ``MENU``: Can the user see the resource in the menu? - -* ``details``: Optional details about the resource being accessed. -* ``user``: The user trying to access the resource. - -These authorization methods are: - -* ``is_authorized_configuration``: Return whether the user is authorized to access Airflow configuration. Some details about the configuration can be provided (e.g. the config section). -* ``is_authorized_connection``: Return whether the user is authorized to access Airflow connections. Some details about the connection can be provided (e.g. the connection ID). -* ``is_authorized_dag``: Return whether the user is authorized to access a DAG. Some details about the DAG can be provided (e.g. the DAG ID). - Also, ``is_authorized_dag`` is called for any entity related to DAGs (e.g. task instances, dag runs, ...). This information is passed in ``access_entity``. - Example: ``auth_manager.is_authorized_dag(method="GET", access_entity=DagAccessEntity.Run, details=DagDetails(id="dag-1"))`` asks - whether the user has permission to read the Dag runs of the dag "dag-1". -* ``is_authorized_dataset``: Return whether the user is authorized to access Airflow datasets. Some details about the dataset can be provided (e.g. the dataset uri). -* ``is_authorized_pool``: Return whether the user is authorized to access Airflow pools. Some details about the pool can be provided (e.g. the pool name). -* ``is_authorized_variable``: Return whether the user is authorized to access Airflow variables. Some details about the variable can be provided (e.g. the variable key). -* ``is_authorized_view``: Return whether the user is authorized to access a specific view in Airflow. The view is specified through ``access_view`` (e.g. ``AccessView.CLUSTER_ACTIVITY``). -* ``is_authorized_custom_view``: Return whether the user is authorized to access a specific view not defined in Airflow. This view can be provided by the auth manager itself or a plugin defined by the user. - -Optional methods recommended to override for optimization -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The following methods aren't required to override to have a functional Airflow auth manager. However, it is recommended to override these to make your auth manager faster (and potentially less costly): - -* ``batch_is_authorized_dag``: Batch version of ``is_authorized_dag``. If not overridden, it will call ``is_authorized_dag`` for every single item. -* ``batch_is_authorized_connection``: Batch version of ``is_authorized_connection``. If not overridden, it will call ``is_authorized_connection`` for every single item. -* ``batch_is_authorized_pool``: Batch version of ``is_authorized_pool``. If not overridden, it will call ``is_authorized_pool`` for every single item. -* ``batch_is_authorized_variable``: Batch version of ``is_authorized_variable``. If not overridden, it will call ``is_authorized_variable`` for every single item. -* ``get_permitted_dag_ids``: Return the list of DAG IDs the user has access to. If not overridden, it will call ``is_authorized_dag`` for every single DAG available in the environment. -* ``filter_permitted_menu_items``: Return the menu items the user has access to. If not overridden, it will call ``has_access`` in :class:`~airflow.www.security_manager.AirflowSecurityManagerV2` for every single menu item. - -CLI -^^^ - -Auth managers may vend CLI commands which will be included in the ``airflow`` command line tool by implementing the ``get_cli_commands`` method. The commands can be used to setup required resources. Commands are only vended for the currently configured auth manager. A pseudo-code example of implementing CLI command vending from an auth manager can be seen below: - -.. code-block:: python - - @staticmethod - def get_cli_commands() -> list[CLICommand]: - sub_commands = [ - ActionCommand( - name="command_name", - help="Description of what this specific command does", - func=lazy_load_command("path.to.python.function.for.command"), - args=(), - ), - ] - - return [ - GroupCommand( - name="my_cool_auth_manager", - help="Description of what this group of commands do", - subcommands=sub_commands, - ), - ] - -.. note:: - Currently there are no strict rules in place for the Airflow command namespace. It is up to developers to use names for their CLI commands that are sufficiently unique so as to not cause conflicts with other Airflow components. - -.. note:: - When creating a new auth manager, or updating any existing auth manager, be sure to not import or execute any expensive operations/code at the module level. Auth manager classes are imported in several places and if they are slow to import this will negatively impact the performance of your Airflow environment, especially for CLI commands. - -Rest API -^^^^^^^^ - -Auth managers may vend Rest API endpoints which will be included in the :doc:`/stable-rest-api-ref` by implementing the ``get_api_endpoints`` method. The endpoints can be used to manage resources such as users, groups, roles (if any) handled by your auth manager. Endpoints are only vended for the currently configured auth manager. - -Next Steps -^^^^^^^^^^ - -Once you have created a new auth manager class implementing the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` interface, you can configure Airflow to use it by setting the ``core.auth_manager`` configuration value to the module path of your auth manager: - -.. code-block:: ini - - [core] - auth_manager = my_company.auth_managers.MyCustomAuthManager - -.. note:: - For more information on Airflow's configuration, see :doc:`/howto/set-config` and for more information on managing Python modules in Airflow see :doc:`/administration-and-deployment/modules_management`. diff --git a/docs/apache-airflow/core-concepts/auth-manager/index.rst b/docs/apache-airflow/core-concepts/auth-manager/index.rst index e7b7fa764fea..b61b44ae39ec 100644 --- a/docs/apache-airflow/core-concepts/auth-manager/index.rst +++ b/docs/apache-airflow/core-concepts/auth-manager/index.rst @@ -21,15 +21,7 @@ Auth manager Auth (for authentication/authorization) manager is the component in Airflow to handle user authentication and user authorization. They have a common API and are "pluggable", meaning you can swap auth managers based on your installation needs. -<<<<<<< HEAD -<<<<<<< HEAD .. image:: ../../img/diagram_auth_manager_airflow_architecture.png -======= -.. image:: ../img/diagram_auth_manager_airflow_architecture.png ->>>>>>> 7a07034b61 (Simple auth manager documentation) -======= -.. image:: ../../img/diagram_auth_manager_airflow_architecture.png ->>>>>>> b741090a8f (Fix docs) Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the ``[core]`` section of :doc:`the configuration file `. diff --git a/docs/apache-airflow/core-concepts/index.rst b/docs/apache-airflow/core-concepts/index.rst index 739111d4be09..0fded6ba495f 100644 --- a/docs/apache-airflow/core-concepts/index.rst +++ b/docs/apache-airflow/core-concepts/index.rst @@ -40,7 +40,6 @@ Here you can find detailed documentation about each one of the core concepts of sensors taskflow executor/index - auth-manager auth-manager/index objectstorage From 3df6f4c5ea5f26ca38cfc1a7ab41f8a211609746 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Mon, 23 Sep 2024 16:46:47 -0400 Subject: [PATCH 8/8] Remove reference to auth manager doc --- docs/apache-airflow-providers-amazon/auth-manager/index.rst | 4 ---- docs/apache-airflow-providers-fab/auth-manager/index.rst | 4 ---- 2 files changed, 8 deletions(-) diff --git a/docs/apache-airflow-providers-amazon/auth-manager/index.rst b/docs/apache-airflow-providers-amazon/auth-manager/index.rst index d83c69ba09e9..c01fc5403e28 100644 --- a/docs/apache-airflow-providers-amazon/auth-manager/index.rst +++ b/docs/apache-airflow-providers-amazon/auth-manager/index.rst @@ -22,10 +22,6 @@ AWS auth manager .. warning:: The AWS auth manager is alpha/experimental at the moment and may be subject to change without warning. -.. note:: - Before reading this, you should be familiar with the concept of auth manager. - See :doc:`apache-airflow:core-concepts/auth-manager/index`. - The AWS auth manager is an auth manager powered by AWS. It uses two services: * `AWS IAM Identity Center `_ for authentication purposes diff --git a/docs/apache-airflow-providers-fab/auth-manager/index.rst b/docs/apache-airflow-providers-fab/auth-manager/index.rst index d8d1a06adae5..8d19ff56498d 100644 --- a/docs/apache-airflow-providers-fab/auth-manager/index.rst +++ b/docs/apache-airflow-providers-fab/auth-manager/index.rst @@ -18,10 +18,6 @@ Flask AppBuilder (FAB) auth manager =================================== -.. note:: - Before reading this, you should be familiar with the concept of auth manager. - See :doc:`apache-airflow:core-concepts/auth-manager/index`. - FAB auth (for authentication/authorization) manager is the auth manager that comes by default with Airflow. This auth manager defines the user authentication and user authorization by default in Airflow. The backend used to store all entities used by the FAB auth manager is the Airflow database: :doc:`apache-airflow:database-erd-ref`.