From 1c961a0e273619b4efee326b8ca0e53888c32e93 Mon Sep 17 00:00:00 2001 From: Vincent <97131062+vincbeck@users.noreply.github.com> Date: Thu, 14 Dec 2023 13:49:40 -0500 Subject: [PATCH] Move config related to FAB auth manager to FAB provider --- airflow/config_templates/config.yml | 4 +++ .../fab/auth_manager/fab_auth_manager.py | 4 ++- airflow/providers/fab/provider.yaml | 27 +++++++++++++++++++ airflow/www/extensions/init_appbuilder.py | 19 ++++++++----- .../configurations-ref.rst | 18 +++++++++++++ docs/apache-airflow-providers-fab/index.rst | 1 + tests/conftest.py | 2 +- tests/www/views/conftest.py | 2 +- tests/www/views/test_views_log.py | 2 +- tests/www/views/test_views_rate_limit.py | 4 +-- 10 files changed, 70 insertions(+), 13 deletions(-) create mode 100644 docs/apache-airflow-providers-fab/configurations-ref.rst diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index 0930fada767141..8bc1659b3be6aa 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -1817,6 +1817,8 @@ webserver: type: boolean example: ~ default: "True" + version_deprecated: 2.9.0 + deprecation_reason: This config has been moved to fab provider. Please use the config from fab provider. auth_rate_limit: description: | Rate limit for authentication endpoints. @@ -1824,6 +1826,8 @@ webserver: type: string example: ~ default: "5 per 40 second" + version_deprecated: 2.9.0 + deprecation_reason: This config has been moved to fab provider. Please use the config from fab provider. caching_hash_method: description: | The caching algorithm used by the webserver. Must be a valid hashlib function name. diff --git a/airflow/providers/fab/auth_manager/fab_auth_manager.py b/airflow/providers/fab/auth_manager/fab_auth_manager.py index 201dc050f9ad4f..599d58b325985e 100644 --- a/airflow/providers/fab/auth_manager/fab_auth_manager.py +++ b/airflow/providers/fab/auth_manager/fab_auth_manager.py @@ -508,5 +508,7 @@ def _sync_appbuilder_roles(self): # Otherwise, when the name of a view or menu is changed, the framework # will add the new Views and Menus names to the backend, but will not # delete the old ones. - if conf.getboolean("webserver", "UPDATE_FAB_PERMS"): + if conf.getboolean( + "fab", "UPDATE_FAB_PERMS", fallback=conf.getboolean("webserver", "UPDATE_FAB_PERMS") + ): self.security_manager.sync_roles() diff --git a/airflow/providers/fab/provider.yaml b/airflow/providers/fab/provider.yaml index 6687110e6a27a9..8b4046cc65c6b1 100644 --- a/airflow/providers/fab/provider.yaml +++ b/airflow/providers/fab/provider.yaml @@ -36,3 +36,30 @@ dependencies: - flask-appbuilder==4.3.10 - flask-login>=0.6.2 - google-re2>=1.0 + +config: + fab: + description: This section contains configs specific to FAB provider. + options: + auth_rate_limited: + description: | + Boolean for enabling rate limiting on authentication endpoints. + version_added: 1.0.0 + type: boolean + example: ~ + default: "True" + auth_rate_limit: + description: | + Rate limit for authentication endpoints. + version_added: 2.6.0 + type: string + example: ~ + default: "5 per 40 second" + update_fab_perms: + description: | + Update FAB permissions and sync security manager roles + on webserver startup + version_added: 1.10.7 + type: string + example: ~ + default: "True" diff --git a/airflow/www/extensions/init_appbuilder.py b/airflow/www/extensions/init_appbuilder.py index ddb44200f93b29..4514f8afa88516 100644 --- a/airflow/www/extensions/init_appbuilder.py +++ b/airflow/www/extensions/init_appbuilder.py @@ -131,9 +131,19 @@ def __init__( base_template="airflow/main.html", static_folder="static/appbuilder", static_url_path="/appbuilder", - update_perms=conf.getboolean("webserver", "UPDATE_FAB_PERMS"), - auth_rate_limited=conf.getboolean("webserver", "AUTH_RATE_LIMITED", fallback=True), - auth_rate_limit=conf.get("webserver", "AUTH_RATE_LIMIT", fallback="5 per 40 second"), + update_perms=conf.getboolean( + "fab", "UPDATE_FAB_PERMS", fallback=conf.getboolean("webserver", "UPDATE_FAB_PERMS") + ), + auth_rate_limited=conf.getboolean( + "fab", + "AUTH_RATE_LIMITED", + fallback=conf.getboolean("webserver", "AUTH_RATE_LIMITED", fallback=True), + ), + auth_rate_limit=conf.get( + "fab", + "AUTH_RATE_LIMIT", + fallback=conf.get("webserver", "AUTH_RATE_LIMIT", fallback="5 per 40 second"), + ), ): """ App-builder constructor. @@ -659,7 +669,4 @@ def init_appbuilder(app: Flask) -> AirflowAppBuilder: app=app, session=settings.Session, base_template="airflow/main.html", - update_perms=conf.getboolean("webserver", "UPDATE_FAB_PERMS"), - auth_rate_limited=conf.getboolean("webserver", "AUTH_RATE_LIMITED", fallback=True), - auth_rate_limit=conf.get("webserver", "AUTH_RATE_LIMIT", fallback="5 per 40 second"), ) diff --git a/docs/apache-airflow-providers-fab/configurations-ref.rst b/docs/apache-airflow-providers-fab/configurations-ref.rst new file mode 100644 index 00000000000000..5885c9d91b6e8d --- /dev/null +++ b/docs/apache-airflow-providers-fab/configurations-ref.rst @@ -0,0 +1,18 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +.. include:: ../exts/includes/providers-configurations-ref.rst diff --git a/docs/apache-airflow-providers-fab/index.rst b/docs/apache-airflow-providers-fab/index.rst index 348a65a97abbbd..df1eb33453c2cd 100644 --- a/docs/apache-airflow-providers-fab/index.rst +++ b/docs/apache-airflow-providers-fab/index.rst @@ -34,6 +34,7 @@ :maxdepth: 1 :caption: Guides + Configuration Auth manager .. toctree:: diff --git a/tests/conftest.py b/tests/conftest.py index b48c51a0cbb8fa..780f0c471c91c9 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -602,7 +602,7 @@ def fake_sleep(seconds): def app(): from tests.test_utils.config import conf_vars - with conf_vars({("webserver", "auth_rate_limited"): "False"}): + with conf_vars({("fab", "auth_rate_limited"): "False"}): from airflow.www import app yield app.create_app(testing=True) diff --git a/tests/www/views/conftest.py b/tests/www/views/conftest.py index aa531a8267a51a..14822b5eaf5eb4 100644 --- a/tests/www/views/conftest.py +++ b/tests/www/views/conftest.py @@ -63,7 +63,7 @@ def app(examples_dag_bag): ] ) def factory(): - with conf_vars({("webserver", "auth_rate_limited"): "False"}): + with conf_vars({("fab", "auth_rate_limited"): "False"}): return create_app(testing=True) app = factory() diff --git a/tests/www/views/test_views_log.py b/tests/www/views/test_views_log.py index 16cfa2b99756c7..8d816d76956053 100644 --- a/tests/www/views/test_views_log.py +++ b/tests/www/views/test_views_log.py @@ -79,7 +79,7 @@ def log_app(backup_modules, log_path): @conf_vars( { ("logging", "logging_config_class"): "airflow_local_settings.LOGGING_CONFIG", - ("webserver", "auth_rate_limited"): "False", + ("fab", "auth_rate_limited"): "False", } ) def factory(): diff --git a/tests/www/views/test_views_rate_limit.py b/tests/www/views/test_views_rate_limit.py index ddd28259d7c4c2..540a0c9f9a1898 100644 --- a/tests/www/views/test_views_rate_limit.py +++ b/tests/www/views/test_views_rate_limit.py @@ -43,9 +43,7 @@ def app_with_rate_limit_one(examples_dag_bag): ] ) def factory(): - with conf_vars( - {("webserver", "auth_rate_limited"): "True", ("webserver", "auth_rate_limit"): "1 per 20 second"} - ): + with conf_vars({("fab", "auth_rate_limited"): "True", ("fab", "auth_rate_limit"): "1 per 20 second"}): return create_app(testing=True) app = factory()