Add ClusterPolicyViolation support to airflow local settings #10282

jaketf · 2020-08-10T19:47:05Z

This change will allow users to throw other exceptions (namely AirflowClusterPolicyViolation) than DagCycleException as part of Cluster Policies.

This can be helpful for running checks on tasks / DAGs (e.g. asserting task has a non-airflow owner) and failing to run tasks aren't compliant with these checks.

This is meant as a tool for airflow admins to prevent user mistakes (especially in shared airlfow infrastructure with newbies) than as a strong technical control for security / compliance posture.

CC: @potiuk @mik-laj who are familiar with this change.

…airflow-aas into develop

mik-laj · 2020-08-10T19:49:24Z

@jaketf Can you add some docs?

tests/test_local_settings.py

airflow/models/dagbag.py

mik-laj · 2020-08-10T20:07:34Z

I don't think we need a separate option in airflow_local_settings. I think we can use the cluster policy. The example configuration file, you can find in example_config/airflow_local_settings.py in our project.

docs/concepts.rst

tests/test_local_settings.py

mik-laj · 2020-08-11T23:13:09Z

@kaxil Thanks for the review. I was just about to ask you for this as I am the author of some of the code for this change and an independent review would be helpful.

docs/concepts.rst

tests/cluster_policies/__init__.py

tests/models/test_dagbag.py

tests/test_local_settings.py

Co-authored-by: Kaxil Naik <[email protected]>

jaketf · 2020-08-12T21:11:11Z

@kaxil @mik-laj (please ignore my rage committing to get CI checks to pass) This is ready for review again.

kaxil · 2020-08-12T22:06:42Z

👏 Nice work @jaketf

potiuk · 2020-08-13T15:24:07Z

Indeed :).

This change will allow users to throw other exceptions (namely `AirflowClusterPolicyViolation`) than `DagCycleException` as part of Cluster Policies. This can be helpful for running checks on tasks / DAGs (e.g. asserting task has a non-airflow owner) and failing to run tasks aren't compliant with these checks. This is meant as a tool for airflow admins to prevent user mistakes (especially in shared Airflow infrastructure with newbies) than as a strong technical control for security/compliance posture. (cherry picked from commit 7f76b8b)

The custom ClusterPolicyViolation has been added in apache#10282 This one adds more comprehensive test to it.

The custom ClusterPolicyViolation has been added in #10282 This one adds more comprehensive test to it. Co-authored-by: Jacob Ferriero <[email protected]>

…10282) This change will allow users to throw other exceptions (namely `AirflowClusterPolicyViolation`) than `DagCycleException` as part of Cluster Policies. This can be helpful for running checks on tasks / DAGs (e.g. asserting task has a non-airflow owner) and failing to run tasks aren't compliant with these checks. This is meant as a tool for airflow admins to prevent user mistakes (especially in shared Airflow infrastructure with newbies) than as a strong technical control for security/compliance posture. (cherry picked from commit 7f76b8b)

Merge branch 'develop' of github.com:PolideaInternal/pso-google-sfdc-…

fd484dd

…airflow-aas into develop

mik-laj reviewed Aug 10, 2020

View reviewed changes

tests/test_local_settings.py Outdated Show resolved Hide resolved

mik-laj reviewed Aug 10, 2020

View reviewed changes

tests/test_local_settings.py Outdated Show resolved Hide resolved

mik-laj reviewed Aug 10, 2020

View reviewed changes

tests/test_local_settings.py Outdated Show resolved Hide resolved

mik-laj reviewed Aug 10, 2020

View reviewed changes

airflow/models/dagbag.py Show resolved Hide resolved

fixup! add docs

1f70c8d

mik-laj reviewed Aug 10, 2020

View reviewed changes