airflow.providers.fab.auth_manager.security_manager.override

Module Contents

Classes

FabAirflowSecurityManagerOverride

This security manager overrides the default AirflowSecurityManager security manager.

Attributes

log

MAX_NUM_DATABASE_USER_SESSIONS

airflow.providers.fab.auth_manager.security_manager.override.log[source]
airflow.providers.fab.auth_manager.security_manager.override.MAX_NUM_DATABASE_USER_SESSIONS = 50000[source]
class airflow.providers.fab.auth_manager.security_manager.override.FabAirflowSecurityManagerOverride(appbuilder)[source]

Bases: airflow.www.security_manager.AirflowSecurityManagerV2

This security manager overrides the default AirflowSecurityManager security manager.

This security manager is used only if the auth manager FabAuthManager is used. It defines everything in the security manager that is needed for the FabAuthManager to work. Any operation specific to the AirflowSecurityManager should be defined here instead of AirflowSecurityManager.

Parameters

appbuilder – The appbuilder.

property get_session[source]
property auth_type[source]

Get the auth type.

property is_auth_limited: bool[source]

Is the auth rate limited.

property auth_rate_limit: str[source]

Get the auth rate limit.

property auth_role_public[source]

Get the public role.

property oauth_providers[source]

Oauth providers.

property auth_ldap_tls_cacertdir[source]

LDAP TLS CA certificate directory.

property auth_ldap_tls_cacertfile[source]

LDAP TLS CA certificate file.

property auth_ldap_tls_certfile[source]

LDAP TLS certificate file.

property auth_ldap_tls_keyfile[source]

LDAP TLS key file.

property auth_ldap_allow_self_signed[source]

LDAP allow self signed.

property auth_ldap_tls_demand[source]

LDAP TLS demand.

property auth_ldap_server[source]

Get the LDAP server object.

property auth_ldap_use_tls[source]

Should LDAP use TLS.

property auth_ldap_bind_user[source]

LDAP bind user.

property auth_ldap_bind_password[source]

LDAP bind password.

LDAP search object.

property auth_ldap_search_filter[source]

LDAP search filter.

property auth_ldap_uid_field[source]

LDAP UID field.

property auth_ldap_firstname_field[source]

LDAP first name field.

property auth_ldap_lastname_field[source]

LDAP last name field.

property auth_ldap_email_field[source]

LDAP email field.

property auth_ldap_append_domain[source]

LDAP append domain.

property auth_ldap_username_format[source]

LDAP username format.

property auth_ldap_group_field: str[source]

LDAP group field.

property auth_roles_mapping: dict[str, list[str]][source]

The mapping of auth roles.

property auth_user_registration_role_jmespath: str[source]

The JMESPATH role to use for user registration.

property auth_remote_user_env_var: str[source]
property api_login_allow_multiple_providers[source]
property auth_username_ci[source]

Get the auth username for CI.

property auth_ldap_bind_first[source]

LDAP bind first.

property openid_providers[source]

Openid providers.

property auth_type_provider_name[source]
property auth_user_registration[source]

Will user self registration be allowed.

property auth_user_registration_role[source]

The default user self registration role.

property auth_roles_sync_at_login: bool[source]

Should roles be synced at login.

property auth_role_admin[source]

Get the admin role.

property oauth_whitelists[source]
property builtin_roles[source]

Get the builtin roles.

auth_view[source]

The obj instance for authentication view

registeruser_view[source]

The obj instance for registering user view

user_view[source]

The obj instance for user view

user_model[source]
role_model[source]
action_model[source]
resource_model[source]
permission_model[source]

Views

authdbview[source]

Override if you want your own Authentication DB view

authldapview[source]

Override if you want your own Authentication LDAP view

authoidview[source]

Override if you want your own Authentication OID view

authoauthview[source]

Override if you want your own Authentication OAuth view

authremoteuserview[source]

Override if you want your own Authentication REMOTE_USER view

registeruserdbview[source]

Override if you want your own register user db view

registeruseroidview[source]

Override if you want your own register user OpenID view

registeruseroauthview[source]

Override if you want your own register user OAuth view

actionmodelview[source]
permissionmodelview[source]
rolemodelview[source]
registeruser_model[source]
registerusermodelview[source]
resourcemodelview[source]
userdbmodelview[source]
resetmypasswordview[source]
resetpasswordview[source]
userinfoeditview[source]
userldapmodelview[source]
useroauthmodelview[source]
userremoteusermodelview[source]
useroidmodelview[source]
userstatschartview[source]
jwt_manager[source]

Flask-JWT-Extended

oid[source]

Flask-OpenID OpenID

oauth[source]
oauth_remotes: dict[str, Any][source]

Initialized (remote_app) providers dict {‘provider_name’, OBJ }

oauth_user_info[source]
oauth_allow_list: dict[str, list][source]

OAuth email allow list

DAG_RESOURCES[source]
VIEWER_PERMISSIONS = [(), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (),...[source]
USER_PERMISSIONS = [(), (), (), (), (), (), (), (), ()][source]
OP_PERMISSIONS = [(), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), ()][source]
ADMIN_PERMISSIONS = [(), (), (), (), (), (), (), (), (), ()][source]
ROLE_CONFIGS: list[dict[str, Any]][source]
DAG_ACTIONS[source]
register_views()[source]

Register FAB auth manager related views.

create_login_manager()[source]

Create the login manager.

create_jwt_manager()[source]

Create the JWT manager.

reset_password(userid, password)[source]

Change/Reset a user’s password for auth db.

Password will be hashed and saved.

Parameters
  • userid (int) – the user id to reset the password

  • password (str) – the clear text password to reset and save hashed on the db

reset_user_sessions(user)[source]
load_user_jwt(_jwt_header, jwt_data)[source]
create_builtin_roles()[source]

Return FAB builtin roles.

create_admin_standalone()[source]

Create an Admin user with a random password so that users can access airflow.

create_db()[source]

Create the database.

Creates admin and public roles if they don’t exist.

get_readable_dags(user)[source]

Get the DAGs readable by authenticated user.

get_editable_dags(user)[source]

Get the DAGs editable by authenticated user.

get_accessible_dags(user_actions, user, session=NEW_SESSION)[source]
get_accessible_dag_ids(user, user_actions=None, session=NEW_SESSION)[source]
static get_readable_dag_ids(user=None)[source]

Get the DAG IDs readable by authenticated user.

static get_editable_dag_ids(user=None)[source]

Get the DAG IDs editable by authenticated user.

can_access_some_dags(action, dag_id=None)[source]

Check if user has read or write access to some dags.

get_all_permissions()[source]

Return all permissions as a set of tuples with the action and resource names.

create_dag_specific_permissions()[source]

Add permissions to all DAGs.

Creates ‘can_read’, ‘can_edit’, and ‘can_delete’ permissions for all DAGs, along with any access_control permissions provided in them.

This does iterate through ALL the DAGs, which can be slow. See sync_perm_for_dag if you only need to sync a single DAG.

prefixed_dag_id(dag_id)[source]

Return the permission name for a DAG id.

is_dag_resource(resource_name)[source]

Determine if a resource belongs to a DAG or all DAGs.

sync_perm_for_dag(dag_id, access_control=None)[source]

Sync permissions for given dag id.

The dag id surely exists in our dag bag as only / refresh button or DagBag will call this function.

Parameters
  • dag_id (str) – the ID of the DAG whose permissions should be updated

  • access_control (dict[str, Collection[str]] | None) – a dict where each key is a role name and each value is a set() of action names (e.g., {‘can_read’}

Returns

Return type

None

add_permissions_view(base_action_names, resource_name)[source]

Add an action on a resource to the backend.

Parameters
  • base_action_names

    list of permissions from view (all exposed methods):

    ’can_add’,’can_edit’ etc…

  • resource_name – name of the resource to add

add_permissions_menu(resource_name)[source]

Add menu_access to resource on permission_resource.

Parameters

resource_name – The resource name

security_cleanup(baseviews, menus)[source]

Cleanup all unused permissions from the database.

Parameters
  • baseviews – A list of BaseViews class

  • menus – Menu class

sync_roles()[source]

Initialize default and custom roles with related permissions.

  1. Init the default role(Admin, Viewer, User, Op, public) with related permissions.

  2. Init the custom role(dag-user) with related permissions.

create_perm_vm_for_all_dag()[source]

Create perm-vm if not exist and insert into FAB security model for all-dags.

add_homepage_access_to_custom_roles()[source]

Add Website.can_read access to all custom roles.

update_admin_permission()[source]

Add missing permissions to the table for admin.

Admin should get all the permissions, except the dag permissions because Admin already has Dags permission. Add the missing ones to the table for admin.

clean_perms()[source]

FAB leaves faulty permissions that need to be cleaned up.

permission_exists_in_one_or_more_roles(resource_name, action_name, role_ids)[source]

Efficiently check if a certain permission exists on a list of role ids; used by has_access.

Parameters
  • resource_name (str) – The view’s name to check if exists on one of the roles

  • action_name (str) – The permission name to check if exists

  • role_ids (list[int]) – a list of Role ids

Returns

Boolean

Return type

bool

perms_include_action(perms, action_name)[source]
init_role(role_name, perms)[source]

Initialize the role with actions and related resources.

Parameters
  • role_name

  • perms

bulk_sync_roles(roles)[source]

Sync the provided roles and permissions.

sync_resource_permissions(perms=None)[source]

Populate resource-based permissions.

update_role(role_id, name)[source]

Update a role in the database.

add_role(name)[source]

Add a role in the database.

find_role(name)[source]

Find a role in the database.

Parameters

name – the role name

get_all_roles()[source]
delete_role(role_name)[source]

Delete the given Role.

Parameters

role_name (str) – the name of a role in the ab_role table

get_roles_from_keys(role_keys)[source]

Construct a list of FAB role objects, from a list of keys.

NOTE: - keys are things like: “LDAP group DNs” or “OAUTH group names” - we use AUTH_ROLES_MAPPING to map from keys, to FAB role names

Parameters

role_keys (list[str]) – the list of FAB role keys

get_public_role()[source]
add_user(username, first_name, last_name, email, role, password='', hashed_password='')[source]

Create a user.

load_user(user_id)[source]
get_user_by_id(pk)[source]
count_users()[source]

Return the number of users in the database.

add_register_user(username, first_name, last_name, email, password='', hashed_password='')[source]

Add a registration request for the user.

:rtype : RegisterUser

find_user(username=None, email=None)[source]

Find user by username or email.

find_register_user(registration_hash)[source]
update_user(user)[source]
del_register_user(register_user)[source]

Delete registration object from database.

Parameters

register_user – RegisterUser object to delete

get_all_users()[source]
update_user_auth_stat(user, success=True)[source]

Update user authentication stats.

This is done upon successful/unsuccessful authentication attempts.

Parameters
  • user – The identified (but possibly not successfully authenticated) user model

  • success – Defaults to true, if true increments login_count, updates last_login, and resets fail_login_count to 0, if false increments fail_login_count on user model.

get_action(name)[source]

Get an existing action record.

Parameters

name (str) – name

create_action(name)[source]

Add an action to the backend, model action.

Parameters

name – name of the action: ‘can_add’,’can_edit’ etc…

delete_action(name)[source]

Delete a permission action.

Parameters

name (str) – Name of action to delete (e.g. can_read).

get_resource(name)[source]

Return a resource record by name, if it exists.

Parameters

name (str) – Name of resource

create_resource(name)[source]

Create a resource with the given name.

Parameters

name – The name of the resource to create created.

get_all_resources()[source]

Get all existing resource records.

delete_resource(name)[source]

Delete a Resource from the backend.

Parameters

name (str) – name of the resource

get_permission(action_name, resource_name)[source]

Get a permission made with the given action->resource pair, if the permission already exists.

Parameters
  • action_name (str) – Name of action

  • resource_name (str) – Name of resource

get_resource_permissions(resource)[source]

Retrieve permission pairs associated with a specific resource object.

Parameters

resource (airflow.providers.fab.auth_manager.models.Resource) – Object representing a single resource.

create_permission(action_name, resource_name)[source]

Add a permission on a resource to the backend.

Parameters
  • action_name – name of the action to add: ‘can_add’,’can_edit’ etc…

  • resource_name – name of the resource to add

delete_permission(action_name, resource_name)[source]

Delete the permission linking an action->resource pair.

Doesn’t delete the underlying action or resource.

Parameters
  • action_name (str) – Name of existing action

  • resource_name (str) – Name of existing resource

add_permission_to_role(role, permission)[source]

Add an existing permission pair to a role.

Parameters
remove_permission_from_role(role, permission)[source]

Remove a permission pair from a role.

Parameters
get_oid_identity_url(provider_name)[source]

Return the OIDC identity provider URL.

static get_user_roles(user=None)[source]

Get all the roles associated with the user.

Parameters

user – the ab_user in FAB model.

Returns

a list of roles associated with the user.

auth_user_ldap(username, password)[source]

Authenticate user with LDAP.

NOTE: this depends on python-ldap module.

Parameters
  • username – the username

  • password – the password

auth_user_db(username, password)[source]

Authenticate user, auth db style.

Parameters
  • username – The username or registered email address

  • password – The password, will be tested against hashed password on db

oauth_user_info_getter(func)[source]

Get OAuth user info for all the providers.

Receives provider and response return a dict with the information returned from the provider. The returned user info dict should have its keys with the same name as the User Model.

Use it like this an example for GitHub

@appbuilder.sm.oauth_user_info_getter
def my_oauth_user_info(sm, provider, response=None):
    if provider == "github":
        me = sm.oauth_remotes[provider].get("user")
        return {"username": me.data.get("login")}
    return {}
get_oauth_user_info(provider, resp)[source]

There are different OAuth APIs with different ways to retrieve user info.

All providers have different ways to retrieve user info.

static oauth_token_getter()[source]

Get authentication (OAuth) token.

check_authorization(perms=None, dag_id=None)[source]

Check the logged-in user has the specified permissions.

set_oauth_session(provider, oauth_response)[source]

Set the current session with OAuth user secrets.

get_oauth_token_key_name(provider)[source]

Return the token_key name for the oauth provider.

If none is configured defaults to oauth_token this is configured using OAUTH_PROVIDERS and token_key key.

get_oauth_token_secret_name(provider)[source]

Get the token_secret name for the oauth provider.

If none is configured, defaults to oauth_secret. This is configured using OAUTH_PROVIDERS and token_secret.

auth_user_oauth(userinfo)[source]

Authenticate user with OAuth.

Userinfo

dict with user information (keys are the same as User model columns)

auth_user_oid(email)[source]

Openid user Authentication.

Parameters

email – user’s email to authenticate

auth_user_remote_user(username)[source]

REMOTE_USER user Authentication.

Parameters

username – user’s username for remote auth

get_user_menu_access(menu_names=None)[source]
static ldap_extract_list(ldap_dict, field_name)[source]
static ldap_extract(ldap_dict, field_name, fallback)[source]
filter_roles_by_perm_with_action(action_name, role_ids)[source]

Find roles with permission.

Was this entry helpful?