Merge branch 'main' into aip-84-providers-permissions

apache · Mar 11, 2025 · 3e3681c · 3e3681c
2 parents bfbd79b + 637525c
commit 3e3681c
Show file tree

Hide file tree

Showing 989 changed files with 21,712 additions and 27,417 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -122,6 +122,10 @@ docs/**/_api/**
 **/.installed.cfg
 **/*.egg
 
+# But ensure UI dist files are included
+!airflow/ui/dist
+!providers/fab/src/airflow/providers/fab/www/dist
+
 # Exclude temporary vi files
 **/*~
 

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -29,9 +29,7 @@
 /airflow/ui/ @bbovenzi @pierrejeambrun @ryanahamilton @jscheffl
 
 # Security/Permissions
-/airflow/api_connexion/security.py @vincbeck
 /airflow/security/permissions.py @vincbeck
-/airflow/www/security.py @vincbeck
 
 # Calendar/Timetables
 /airflow/timetables/ @uranusjr

diff --git a/.github/workflows/basic-tests.yml b/.github/workflows/basic-tests.yml
@@ -131,22 +131,22 @@ jobs:
       - name: "Restore eslint cache (simple auth manager UI)"
         uses: apache/infrastructure-actions/stash/restore@1c35b5ccf8fba5d4c3fdf25a045ca91aa0cbc468
         with:
-          path: airflow/auth/managers/simple/ui/node_modules/
+          path: airflow/api_fastapi/auth/managers/simple/ui/node_modules/
           key: >
             cache-simple-am-ui-node-modules-v1-
-            ${{ runner.os }}-${{ hashFiles('airflow/auth/managers/simple/ui/**/pnpm-lock.yaml') }}
+            ${{ runner.os }}-${{ hashFiles('airflow/api_fastapi/auth/managers/simple/ui/**/pnpm-lock.yaml') }}
         id: restore-eslint-cache-simple-am-ui
-      - run: cd airflow/auth/managers/simple/ui && pnpm install --frozen-lockfile
-      - run: cd airflow/auth/managers/simple/ui && pnpm test
+      - run: cd airflow/api_fastapi/auth/managers/simple/ui && pnpm install --frozen-lockfile
+      - run: cd airflow/api_fastapi/auth/managers/simple/ui && pnpm test
         env:
           FORCE_COLOR: 2
       - name: "Save eslint cache (ui)"
         uses: apache/infrastructure-actions/stash/save@1c35b5ccf8fba5d4c3fdf25a045ca91aa0cbc468
         with:
-          path: airflow/auth/managers/simple/ui/node_modules/
+          path: airflow/api_fastapi/auth/managers/simple/ui/node_modules/
           key: >
             cache-simple-am-ui-node-modules-v1-
-            ${{ runner.os }}-${{ hashFiles('airflow/auth/managers/simple/ui/**/pnpm-lock.yaml') }}
+            ${{ runner.os }}-${{ hashFiles('airflow/api_fastapi/auth/managers/simple/ui/**/pnpm-lock.yaml') }}
           if-no-files-found: 'error'
           retention-days: '2'
         if: steps.restore-eslint-cache-simple-am-ui.outputs.stash-hit != 'true'

diff --git a/.gitignore b/.gitignore
@@ -170,6 +170,7 @@ pnpm-debug.log*
 .vscode/*
 !.vscode/extensions.json
 /.vite/
+airflow/ui/.vite/
 .pnpm-store
 *.tsbuildinfo
 

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -125,7 +125,7 @@ repos:
           - --fuzzy-match-generates-todo
       - id: insert-license
         name: Add license for all YAML files except Helm templates
-        exclude: ^\.github/.*$|^chart/templates/.*|.*/reproducible_build.yaml$|^airflow/api_fastapi/core_api/openapi/v1-generated.yaml$|^airflow/auth/managers/simple/openapi/v1-generated.yaml$|^providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/openapi/v1-generated.yaml$|^.*/pnpm-lock.yaml$
+        exclude: ^\.github/.*$|^chart/templates/.*|.*/reproducible_build.yaml$|^.*/v1-generated.yaml$|^.*/pnpm-lock.yaml$
         types: [yaml]
         files: \.ya?ml$
         args:
@@ -281,9 +281,8 @@ repos:
           ^.*airflow\.template\.yaml$|
           ^.*init_git_sync\.template\.yaml$|
           ^chart/(?:templates|files)/.*\.yaml$|
-          ^airflow/api_fastapi/core_api/openapi/v1-generated\.yaml$|
+          .*/v1-generated\.yaml$|
           ^.*openapi.*\.yaml$|
-          ^airflow/api_fastapi/core_api/openapi/v1-generated\.yaml$|
           ^\.pre-commit-config\.yaml$|
           ^.*/reproducible_build.yaml$|
           ^.*pnpm-lock\.yaml$
@@ -689,7 +688,6 @@ repos:
         entry: "^\\s*from airflow\\.models\\.baseoperatorlink import BaseOperatorLink\\b"
         files: \.py$
         pass_filenames: true
-        echo: True
         exclude: >
           (?x)
           ^airflow/decorators/.*$|
@@ -825,7 +823,7 @@ repos:
         language: node
         stages: ['manual']
         types_or: [javascript, ts, tsx]
-        files: ^airflow/ui/|^airflow/auth/managers/simple/ui/
+        files: ^airflow/ui/|^airflow/api_fastapi/auth/managers/simple/ui/
         entry: ./scripts/ci/pre_commit/compile_ui_assets.py
         pass_filenames: false
         additional_dependencies: ['[email protected]']
@@ -842,7 +840,7 @@ repos:
         language: node
         stages: ['manual']
         types_or: [javascript, ts, tsx]
-        files: ^airflow/ui/|^airflow/auth/managers/simple/ui/
+        files: ^airflow/ui/|^airflow/api_fastapi/auth/managers/simple/ui/
         entry: ./scripts/ci/pre_commit/compile_ui_assets_dev.py
         pass_filenames: false
         additional_dependencies: ['[email protected]']
@@ -1131,15 +1129,6 @@ repos:
         additional_dependencies: ['rich>=12.4.4']
         pass_filenames: false
         files: ^tests/.*\.py$
-      - id: ts-compile-format-lint-ui
-        name: Compile / format / lint UI
-        description: TS types generation / ESLint / Prettier new UI files
-        language: node
-        types_or: [javascript, ts, tsx, yaml, css, json]
-        files: ^airflow/ui/|^airflow/api_fastapi/core_api/openapi/v1-generated\.yaml$|^airflow/auth/managers/simple/ui/|^airflow/auth/managers/simple/openapi/v1-generated\.yaml$
-        entry: ./scripts/ci/pre_commit/lint_ui.py
-        additional_dependencies: ['[email protected]']
-        pass_filenames: false
       - id: check-tests-unittest-testcase
         name: Unit tests do not inherit from unittest.TestCase
         description: Check that unit tests do not inherit from unittest.TestCase
@@ -1324,15 +1313,19 @@ repos:
         language: python
         entry: ./scripts/ci/pre_commit/update_fastapi_api_spec.py
         pass_filenames: false
-        files: ^airflow/api_fastapi/.*\.py$|^airflow/auth/managers/simple/.*\.py$|^providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/.*\.py$
+        files: ^airflow/api_fastapi/.*\.py$|^airflow/api_fastapi/auth/managers/simple/.*\.py$|^providers/fab/src/airflow/providers/fab/auth_manager/api_fastapi/.*\.py$
         exclude: ^airflow/api_fastapi/execution_api/.*
         additional_dependencies: ['rich>=12.4.4']
       - id: ts-compile-format-lint-ui
         name: Compile / format / lint UI
         description: TS types generation / ESLint / Prettier new UI files
         language: node
         types_or: [javascript, ts, tsx, yaml, css, json]
-        files: ^airflow/ui/|^airflow/api_fastapi/core_api/openapi/v1-generated\.yaml$|^airflow/auth/managers/simple/ui/|^airflow/auth/managers/simple/openapi/v1-generated\.yaml$
+        files: |
+          (?x)
+          ^airflow/ui/|^airflow/api_fastapi/core_api/openapi/v1-generated\.yaml$ |
+          ^airflow/api_fastapi/auth/managers/simple/ui/ |
+          ^airflow/api_fastapi/auth/managers/simple/openapi/v1-generated\.yaml$
         entry: ./scripts/ci/pre_commit/lint_ui.py
         additional_dependencies: ['[email protected]']
         pass_filenames: false

diff --git a/INTHEWILD.md b/INTHEWILD.md
@@ -274,6 +274,7 @@ Currently, **officially** using Airflow:
 1. [HP Inc](https://www.hp.com/) [[@hpinc](https://github.com/HPInc)]
 1. [Huq Industries](https://huq.io) [[@huqindustries](https://github.com/huq-industries), [@alepuccetti](https://github.com/alepuccetti), [@turbomerl](https://github.com/turbomerl)]
 1. [Hurb](https://hurb.com/) [[@hurbcom](https://github.com/hurbcom)]
+1. [Idrica](https://www.idrica.com/) [[@xavipuerto](https://github.com/xavipuerto)]
 1. [Iflix](https://piay.iflix.com) [[@ChaturvediSulabh](https://github.com/ChaturvediSulabh)]
 1. [IFTTT](https://www.ifttt.com/) [[@apurvajoshi](https://github.com/apurvajoshi)]
 1. [iHeartRadio](http://www.iheart.com/) [[@yiwang](https://github.com/yiwang)]

diff --git a/LICENSE b/LICENSE
@@ -220,7 +220,6 @@ at 3rd-party-licenses/LICENSE-[project].txt.
     (ALv2 License) hue v4.3.0 (https://github.com/cloudera/hue/)
     (ALv2 License) jqclock v2.3.0 (https://github.com/JohnRDOrazio/jQuery-Clock-Plugin)
     (ALv2 License) bootstrap3-typeahead v4.0.2 (https://github.com/bassjobsen/Bootstrap-3-Typeahead)
-    (ALv2 License) connexion v2.7.0 (https://github.com/zalando/connexion)
 
 ========================================================================
 MIT licenses

diff --git a/airflow/api_connexion/schemas/dag_schema.py b/airflow/api_connexion/schemas/dag_schema.py
diff --git a/airflow/api_fastapi/app.py b/airflow/api_fastapi/app.py
@@ -38,7 +38,7 @@
 from airflow.exceptions import AirflowConfigException
 
 if TYPE_CHECKING:
-    from airflow.auth.managers.base_auth_manager import BaseAuthManager
+    from airflow.api_fastapi.auth.managers.base_auth_manager import BaseAuthManager
 
 log = logging.getLogger(__name__)
 

diff --git a/airflow/auth/__init__.py → airflow/api_fastapi/auth/__init__.py b/airflow/auth/__init__.py → airflow/api_fastapi/auth/__init__.py
diff --git a/airflow/auth/managers/__init__.py → ...low/api_fastapi/auth/managers/__init__.py b/airflow/auth/managers/__init__.py → ...low/api_fastapi/auth/managers/__init__.py
diff --git a/airflow/auth/managers/base_auth_manager.py → ...astapi/auth/managers/base_auth_manager.py b/airflow/auth/managers/base_auth_manager.py → ...astapi/auth/managers/base_auth_manager.py
@@ -24,8 +24,8 @@
 from jwt import InvalidTokenError
 from sqlalchemy import select
 
-from airflow.auth.managers.models.base_user import BaseUser
-from airflow.auth.managers.models.resource_details import DagDetails
+from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
+from airflow.api_fastapi.auth.managers.models.resource_details import DagDetails
 from airflow.configuration import conf
 from airflow.models import DagModel
 from airflow.typing_compat import Literal
@@ -39,14 +39,15 @@
     from fastapi import FastAPI
     from sqlalchemy.orm import Session
 
-    from airflow.auth.managers.models.batch_apis import (
+    from airflow.api_fastapi.auth.managers.models.batch_apis import (
         IsAuthorizedConnectionRequest,
         IsAuthorizedDagRequest,
         IsAuthorizedPoolRequest,
         IsAuthorizedVariableRequest,
     )
-    from airflow.auth.managers.models.resource_details import (
+    from airflow.api_fastapi.auth.managers.models.resource_details import (
         AccessView,
+        AssetAliasDetails,
         AssetDetails,
         ConfigurationDetails,
         ConnectionDetails,
@@ -107,6 +108,15 @@ def get_jwt_token(
     def get_url_login(self, **kwargs) -> str:
         """Return the login page url."""
 
+    def logout(self) -> None:
+        """
+        Logout the user.
+
+        This method is called when the user is logging out. By default, it does nothing. Override it to
+        invalidate resources when logging out, such as a session.
+        """
+        return None
+
     @abstractmethod
     def is_authorized_configuration(
         self,
@@ -174,6 +184,22 @@ def is_authorized_asset(
         :param details: optional details about the asset
         """
 
+    @abstractmethod
+    def is_authorized_asset_alias(
+        self,
+        *,
+        method: ResourceMethod,
+        user: T,
+        details: AssetAliasDetails | None = None,
+    ) -> bool:
+        """
+        Return whether the user is authorized to perform a given action on an asset alias.
+
+        :param method: the method to perform
+        :param user: the user to perform the action on
+        :param details: optional details about the asset alias
+        """
+
     @abstractmethod
     def is_authorized_pool(
         self,

diff --git a/airflow/auth/managers/models/__init__.py → ..._fastapi/auth/managers/models/__init__.py b/airflow/auth/managers/models/__init__.py → ..._fastapi/auth/managers/models/__init__.py
diff --git a/airflow/auth/managers/models/base_user.py → ...fastapi/auth/managers/models/base_user.py b/airflow/auth/managers/models/base_user.py → ...fastapi/auth/managers/models/base_user.py
diff --git a/airflow/auth/managers/models/batch_apis.py → ...astapi/auth/managers/models/batch_apis.py b/airflow/auth/managers/models/batch_apis.py → ...astapi/auth/managers/models/batch_apis.py
@@ -20,8 +20,8 @@
 from typing import TYPE_CHECKING, TypedDict
 
 if TYPE_CHECKING:
-    from airflow.auth.managers.base_auth_manager import ResourceMethod
-    from airflow.auth.managers.models.resource_details import (
+    from airflow.api_fastapi.auth.managers.base_auth_manager import ResourceMethod
+    from airflow.api_fastapi.auth.managers.models.resource_details import (
         ConnectionDetails,
         DagAccessEntity,
         DagDetails,

diff --git a/.../auth/managers/models/resource_details.py → .../auth/managers/models/resource_details.py b/.../auth/managers/models/resource_details.py → .../auth/managers/models/resource_details.py
@@ -49,6 +49,13 @@ class AssetDetails:
     id: str | None = None
 
 
+@dataclass
+class AssetAliasDetails:
+    """Represents the details of an asset alias."""
+
+    id: str | None = None
+
+
 @dataclass
 class PoolDetails:
     """Represents the details of a pool."""

diff --git a/airflow/auth/managers/simple/__init__.py → ..._fastapi/auth/managers/simple/__init__.py b/airflow/auth/managers/simple/__init__.py → ..._fastapi/auth/managers/simple/__init__.py
diff --git a/...th/managers/simple/datamodels/__init__.py → ...th/managers/simple/datamodels/__init__.py b/...th/managers/simple/datamodels/__init__.py → ...th/managers/simple/datamodels/__init__.py
diff --git a/.../auth/managers/simple/datamodels/login.py → .../auth/managers/simple/datamodels/login.py b/.../auth/managers/simple/datamodels/login.py → .../auth/managers/simple/datamodels/login.py
diff --git a/.../auth/managers/simple/openapi/__init__.py → .../auth/managers/simple/openapi/__init__.py b/.../auth/managers/simple/openapi/__init__.py → .../auth/managers/simple/openapi/__init__.py
diff --git a/...managers/simple/openapi/v1-generated.yaml → ...managers/simple/openapi/v1-generated.yaml b/...managers/simple/openapi/v1-generated.yaml → ...managers/simple/openapi/v1-generated.yaml
@@ -7,6 +7,25 @@ info:
   version: 0.1.0
 paths:
   /auth/token:
+    get:
+      tags:
+      - SimpleAuthManagerLogin
+      summary: Create Token All Admins
+      description: Create a token with no credentials only if ``simple_auth_manager_all_admins``
+        is True.
+      operationId: create_token_all_admins
+      responses:
+        '307':
+          description: Successful Response
+          content:
+            application/json:
+              schema: {}
+        '403':
+          description: Forbidden
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/HTTPExceptionResponse'
     post:
       tags:
       - SimpleAuthManagerLogin

diff --git a/...w/auth/managers/simple/routes/__init__.py → ...i/auth/managers/simple/routes/__init__.py b/...w/auth/managers/simple/routes/__init__.py → ...i/auth/managers/simple/routes/__init__.py