Skip to content

Commit

Permalink
Replace "Role" by "Group" in AWS auth manager (#38078)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vincbeck
vincbeck authored Mar 12, 2024
1 parent 0a985f7 commit 68282c1
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 24 deletions.
4 changes: 2 additions & 2 deletions airflow/providers/amazon/aws/auth_manager/avp/entities.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ class AvpEntities(Enum):
"""Enum of Amazon Verified Permissions entities."""

ACTION = "Action"
ROLE = "Role"
GROUP = "Group"
USER = "User"

# Resource types
Expand All @@ -48,7 +48,7 @@ def get_entity_type(resource_type: AvpEntities) -> str:
:param resource_type: Resource type.
Example: Airflow::Action, Airflow::Role, Airflow::Variable, Airflow::User.
Example: Airflow::Action, Airflow::Group, Airflow::Variable, Airflow::User.
"""
return AVP_PREFIX_ENTITIES + resource_type.value

Expand Down
14 changes: 7 additions & 7 deletions airflow/providers/amazon/aws/auth_manager/avp/facade.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ def is_authorized(
if user is None:
return False

entity_list = self._get_user_role_entities(user)
entity_list = self._get_user_group_entities(user)

self.log.debug(
"Making authorization request for user=%s, method=%s, entity_type=%s, entity_id=%s",
Expand Down Expand Up @@ -144,7 +144,7 @@ def get_batch_is_authorized_results(
:param requests: the list of requests containing the method, the entity_type and the entity ID
:param user: the user
"""
entity_list = self._get_user_role_entities(user)
entity_list = self._get_user_group_entities(user)

self.log.debug("Making batch authorization request for user=%s, requests=%s", user.get_id(), requests)

Expand Down Expand Up @@ -223,19 +223,19 @@ def get_batch_is_authorized_single_result(
raise AirflowException("Could not find the authorization result.")

@staticmethod
def _get_user_role_entities(user: AwsAuthManagerUser) -> list[dict]:
def _get_user_group_entities(user: AwsAuthManagerUser) -> list[dict]:
user_entity = {
"identifier": {"entityType": get_entity_type(AvpEntities.USER), "entityId": user.get_id()},
"parents": [
{"entityType": get_entity_type(AvpEntities.ROLE), "entityId": group}
{"entityType": get_entity_type(AvpEntities.GROUP), "entityId": group}
for group in user.get_groups()
],
}
role_entities = [
{"identifier": {"entityType": get_entity_type(AvpEntities.ROLE), "entityId": group}}
group_entities = [
{"identifier": {"entityType": get_entity_type(AvpEntities.GROUP), "entityId": group}}
for group in user.get_groups()
]
return [user_entity, *role_entities]
return [user_entity, *group_entities]

@staticmethod
def _build_context(context: dict | None) -> dict | None:
Expand Down
4 changes: 2 additions & 2 deletions airflow/providers/amazon/aws/auth_manager/cli/schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,10 +158,10 @@
"Dag": {},
"Dataset": {},
"Pool": {},
"Role": {},
"Group": {},
"User": {
"memberOfTypes": [
"Role"
"Group"
]
},
"Variable": {},
Expand Down
24 changes: 12 additions & 12 deletions tests/providers/amazon/aws/auth_manager/avp/test_facade.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,15 +89,15 @@ def test_is_authorized_no_user(self, facade):
{
"identifier": {"entityType": "Airflow::User", "entityId": "test_user"},
"parents": [
{"entityType": "Airflow::Role", "entityId": "group1"},
{"entityType": "Airflow::Role", "entityId": "group2"},
{"entityType": "Airflow::Group", "entityId": "group1"},
{"entityType": "Airflow::Group", "entityId": "group2"},
],
},
{
"identifier": {"entityType": "Airflow::Role", "entityId": "group1"},
"identifier": {"entityType": "Airflow::Group", "entityId": "group1"},
},
{
"identifier": {"entityType": "Airflow::Role", "entityId": "group2"},
"identifier": {"entityType": "Airflow::Group", "entityId": "group2"},
},
],
None,
Expand All @@ -113,15 +113,15 @@ def test_is_authorized_no_user(self, facade):
{
"identifier": {"entityType": "Airflow::User", "entityId": "test_user"},
"parents": [
{"entityType": "Airflow::Role", "entityId": "group1"},
{"entityType": "Airflow::Role", "entityId": "group2"},
{"entityType": "Airflow::Group", "entityId": "group1"},
{"entityType": "Airflow::Group", "entityId": "group2"},
],
},
{
"identifier": {"entityType": "Airflow::Role", "entityId": "group1"},
"identifier": {"entityType": "Airflow::Group", "entityId": "group1"},
},
{
"identifier": {"entityType": "Airflow::Role", "entityId": "group2"},
"identifier": {"entityType": "Airflow::Group", "entityId": "group2"},
},
],
None,
Expand Down Expand Up @@ -152,15 +152,15 @@ def test_is_authorized_no_user(self, facade):
{
"identifier": {"entityType": "Airflow::User", "entityId": "test_user"},
"parents": [
{"entityType": "Airflow::Role", "entityId": "group1"},
{"entityType": "Airflow::Role", "entityId": "group2"},
{"entityType": "Airflow::Group", "entityId": "group1"},
{"entityType": "Airflow::Group", "entityId": "group2"},
],
},
{
"identifier": {"entityType": "Airflow::Role", "entityId": "group1"},
"identifier": {"entityType": "Airflow::Group", "entityId": "group1"},
},
{
"identifier": {"entityType": "Airflow::Role", "entityId": "group2"},
"identifier": {"entityType": "Airflow::Group", "entityId": "group2"},
},
],
{"contextMap": {"context_param": {"string": "value"}}},
Expand Down
2 changes: 1 addition & 1 deletion tests/system/providers/amazon/aws/tests/test_aws_auth_manager.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@

AVP_POLICY_ADMIN = """
permit (
principal in Airflow::Role::"Admin",
principal in Airflow::Group::"Admin",
action,
resource
);
Expand Down

0 comments on commit 68282c1

Please sign in to comment.