feat(AIP-84): Add Auth for ui assets (#47485)

* feat(AIP-84): Add Auth for ui assets

* build: rebuild airflow/api_fastapi/core_api/openapi/v1-generated.yaml

* feat(api_fastapi): remove dag_id param from request_dag_access

* test: fix require_access_dag tests

Author: Lee-W

airflow/api_fastapi/core_api/openapi/v1-generated.yaml

@@ -13,6 +13,8 @@ paths:
       - Asset
       summary: Next Run Assets
       operationId: next_run_assets
+      security:
+      - OAuth2PasswordBearer: []
       parameters:
       - name: dag_id
         in: path
@@ -1025,14 +1027,6 @@ paths:
           - type: string
           - type: 'null'
           title: Before
-      - name: dag_id
-        in: query
-        required: false
-        schema:
-          anyOf:
-          - type: string
-          - type: 'null'
-          title: Dag Id
       responses:
         '204':
           description: Successful Response
@@ -1121,9 +1115,7 @@ paths:
         in: path
         required: true
         schema:
-          anyOf:
-          - type: string
-          - type: 'null'
+          type: string
           title: Dag Id
       - name: before
         in: query
@@ -1176,9 +1168,7 @@ paths:
         in: path
         required: true
         schema:
-          anyOf:
-          - type: string
-          - type: 'null'
+          type: string
           title: Dag Id
       - name: before
         in: query
@@ -1235,9 +1225,7 @@ paths:
         in: path
         required: true
         schema:
-          anyOf:
-          - type: string
-          - type: 'null'
+          type: string
           title: Dag Id
       - name: asset_id
         in: path
@@ -1297,9 +1285,7 @@ paths:
         in: path
         required: true
         schema:
-          anyOf:
-          - type: string
-          - type: 'null'
+          type: string
           title: Dag Id
       - name: asset_id
         in: path
@@ -3595,14 +3581,6 @@ paths:
         schema:
           type: integer
           title: Event Log Id
-      - name: dag_id
-        in: query
-        required: false
-        schema:
-          anyOf:
-          - type: string
-          - type: 'null'
-          title: Dag Id
       responses:
         '200':
           description: Successful Response
@@ -3644,14 +3622,6 @@ paths:
       security:
       - OAuth2PasswordBearer: []
       parameters:
-      - name: dag_id
-        in: query
-        required: false
-        schema:
-          anyOf:
-          - type: string
-          - type: 'null'
-          title: Dag Id
       - name: limit
         in: query
         required: false
@@ -3675,6 +3645,14 @@ paths:
           type: string
           default: id
           title: Order By
+      - name: dag_id
+        in: query
+        required: false
+        schema:
+          anyOf:
+          - type: string
+          - type: 'null'
+          title: Dag Id
       - name: task_id
         in: query
         required: false
@@ -3801,9 +3779,7 @@ paths:
         in: path
         required: true
         schema:
-          anyOf:
-          - type: string
-          - type: 'null'
+          type: string
           title: Dag Id
       - name: dag_run_id
         in: path

airflow/api_fastapi/core_api/routes/ui/assets.py

@@ -17,18 +17,22 @@
 
 from __future__ import annotations
 
-from fastapi import HTTPException, Request, status
+from fastapi import Depends, HTTPException, Request, status
 from sqlalchemy import and_, func, select
 
 from airflow.api_fastapi.common.db.common import SessionDep
 from airflow.api_fastapi.common.router import AirflowRouter
+from airflow.api_fastapi.core_api.security import requires_access_asset, requires_access_dag
 from airflow.models import DagModel
 from airflow.models.asset import AssetDagRunQueue, AssetEvent, AssetModel, DagScheduleAssetReference
 
 assets_router = AirflowRouter(tags=["Asset"])
 
 
-@assets_router.get("/next_run_assets/{dag_id}")
+@assets_router.get(
+    "/next_run_assets/{dag_id}",
+    dependencies=[Depends(requires_access_asset(method="GET")), Depends(requires_access_dag(method="GET"))],
+)
 def next_run_assets(
     dag_id: str,
     request: Request,
@@ -40,7 +44,6 @@ def next_run_assets(
         raise HTTPException(status.HTTP_404_NOT_FOUND, f"can't find dag {dag_id}")
 
     dag_model = DagModel.get_dagmodel(dag_id, session=session)
-
     if dag_model is None:
         raise HTTPException(status.HTTP_404_NOT_FOUND, f"can't find associated dag_model {dag_id}")
 

airflow/api_fastapi/core_api/security.py

@@ -81,9 +81,11 @@ async def get_user_with_exception_handling(request: Request) -> BaseUser | None:
 
 def requires_access_dag(method: ResourceMethod, access_entity: DagAccessEntity | None = None) -> Callable:
     def inner(
+        request: Request,
         user: Annotated[BaseUser, Depends(get_user)],
-        dag_id: str | None = None,
     ) -> None:
+        dag_id = request.path_params.get("dag_id") or request.query_params.get("dag_id")
+
         _requires_access(
             is_authorized_callback=lambda: get_auth_manager().is_authorized_dag(
                 method=method, access_entity=access_entity, details=DagDetails(id=dag_id), user=user

airflow/ui/openapi-gen/queries/common.ts

@@ -856,14 +856,12 @@ export type EventLogServiceGetEventLogQueryResult<
 export const useEventLogServiceGetEventLogKey = "EventLogServiceGetEventLog";
 export const UseEventLogServiceGetEventLogKeyFn = (
   {
-    dagId,
     eventLogId,
   }: {
-    dagId?: string;
     eventLogId: number;
   },
   queryKey?: Array<unknown>,
-) => [useEventLogServiceGetEventLogKey, ...(queryKey ?? [{ dagId, eventLogId }])];
+) => [useEventLogServiceGetEventLogKey, ...(queryKey ?? [{ eventLogId }])];
 export type EventLogServiceGetEventLogsDefaultResponse = Awaited<
   ReturnType<typeof EventLogService.getEventLogs>
 >;

airflow/ui/openapi-gen/queries/prefetch.ts

@@ -1164,32 +1164,29 @@ export const prefetchUseDagServiceGetDagTags = (
  * Get Event Log
  * @param data The data for the request.
  * @param data.eventLogId
- * @param data.dagId
  * @returns EventLogResponse Successful Response
  * @throws ApiError
  */
 export const prefetchUseEventLogServiceGetEventLog = (
   queryClient: QueryClient,
   {
-    dagId,
     eventLogId,
   }: {
-    dagId?: string;
     eventLogId: number;
   },
 ) =>
   queryClient.prefetchQuery({
-    queryKey: Common.UseEventLogServiceGetEventLogKeyFn({ dagId, eventLogId }),
-    queryFn: () => EventLogService.getEventLog({ dagId, eventLogId }),
+    queryKey: Common.UseEventLogServiceGetEventLogKeyFn({ eventLogId }),
+    queryFn: () => EventLogService.getEventLog({ eventLogId }),
   });
 /**
  * Get Event Logs
  * Get all Event Logs.
  * @param data The data for the request.
- * @param data.dagId
  * @param data.limit
  * @param data.offset
  * @param data.orderBy
+ * @param data.dagId
  * @param data.taskId
  * @param data.runId
  * @param data.mapIndex

airflow/ui/openapi-gen/queries/queries.ts

@@ -1404,7 +1404,6 @@ export const useDagServiceGetDagTags = <
  * Get Event Log
  * @param data The data for the request.
  * @param data.eventLogId
- * @param data.dagId
  * @returns EventLogResponse Successful Response
  * @throws ApiError
  */
@@ -1414,28 +1413,26 @@ export const useEventLogServiceGetEventLog = <
   TQueryKey extends Array<unknown> = unknown[],
 >(
   {
-    dagId,
     eventLogId,
   }: {
-    dagId?: string;
     eventLogId: number;
   },
   queryKey?: TQueryKey,
   options?: Omit<UseQueryOptions<TData, TError>, "queryKey" | "queryFn">,
 ) =>
   useQuery<TData, TError>({
-    queryKey: Common.UseEventLogServiceGetEventLogKeyFn({ dagId, eventLogId }, queryKey),
-    queryFn: () => EventLogService.getEventLog({ dagId, eventLogId }) as TData,
+    queryKey: Common.UseEventLogServiceGetEventLogKeyFn({ eventLogId }, queryKey),
+    queryFn: () => EventLogService.getEventLog({ eventLogId }) as TData,
     ...options,
   });
 /**
  * Get Event Logs
  * Get all Event Logs.
  * @param data The data for the request.
- * @param data.dagId
  * @param data.limit
  * @param data.offset
  * @param data.orderBy
+ * @param data.dagId
  * @param data.taskId
  * @param data.runId
  * @param data.mapIndex
@@ -4351,7 +4348,6 @@ export const useVariableServiceBulkVariables = <
  * @param data The data for the request.
  * @param data.assetId
  * @param data.before
- * @param data.dagId
  * @returns void Successful Response
  * @throws ApiError
  */
@@ -4367,7 +4363,6 @@ export const useAssetServiceDeleteAssetQueuedEvents = <
       {
         assetId: number;
         before?: string;
-        dagId?: string;
       },
       TContext
     >,
@@ -4380,12 +4375,11 @@ export const useAssetServiceDeleteAssetQueuedEvents = <
     {
       assetId: number;
       before?: string;
-      dagId?: string;
     },
     TContext
   >({
-    mutationFn: ({ assetId, before, dagId }) =>
-      AssetService.deleteAssetQueuedEvents({ assetId, before, dagId }) as unknown as Promise<TData>,
+    mutationFn: ({ assetId, before }) =>
+      AssetService.deleteAssetQueuedEvents({ assetId, before }) as unknown as Promise<TData>,
     ...options,
   });
 /**

airflow/ui/openapi-gen/queries/suspense.ts

@@ -1381,7 +1381,6 @@ export const useDagServiceGetDagTagsSuspense = <
  * Get Event Log
  * @param data The data for the request.
  * @param data.eventLogId
- * @param data.dagId
  * @returns EventLogResponse Successful Response
  * @throws ApiError
  */
@@ -1391,28 +1390,26 @@ export const useEventLogServiceGetEventLogSuspense = <
   TQueryKey extends Array<unknown> = unknown[],
 >(
   {
-    dagId,
     eventLogId,
   }: {
-    dagId?: string;
     eventLogId: number;
   },
   queryKey?: TQueryKey,
   options?: Omit<UseQueryOptions<TData, TError>, "queryKey" | "queryFn">,
 ) =>
   useSuspenseQuery<TData, TError>({
-    queryKey: Common.UseEventLogServiceGetEventLogKeyFn({ dagId, eventLogId }, queryKey),
-    queryFn: () => EventLogService.getEventLog({ dagId, eventLogId }) as TData,
+    queryKey: Common.UseEventLogServiceGetEventLogKeyFn({ eventLogId }, queryKey),
+    queryFn: () => EventLogService.getEventLog({ eventLogId }) as TData,
     ...options,
   });
 /**
  * Get Event Logs
  * Get all Event Logs.
  * @param data The data for the request.
- * @param data.dagId
  * @param data.limit
  * @param data.offset
  * @param data.orderBy
+ * @param data.dagId
  * @param data.taskId
  * @param data.runId
  * @param data.mapIndex

airflow/ui/openapi-gen/requests/services.gen.ts

@@ -448,7 +448,6 @@ export class AssetService {
    * @param data The data for the request.
    * @param data.assetId
    * @param data.before
-   * @param data.dagId
    * @returns void Successful Response
    * @throws ApiError
    */
@@ -463,7 +462,6 @@ export class AssetService {
       },
       query: {
         before: data.before,
-        dag_id: data.dagId,
       },
       errors: {
         401: "Unauthorized",
@@ -1904,7 +1902,6 @@ export class EventLogService {
    * Get Event Log
    * @param data The data for the request.
    * @param data.eventLogId
-   * @param data.dagId
    * @returns EventLogResponse Successful Response
    * @throws ApiError
    */
@@ -1915,9 +1912,6 @@ export class EventLogService {
       path: {
         event_log_id: data.eventLogId,
       },
-      query: {
-        dag_id: data.dagId,
-      },
       errors: {
         401: "Unauthorized",
         403: "Forbidden",
@@ -1931,10 +1925,10 @@ export class EventLogService {
    * Get Event Logs
    * Get all Event Logs.
    * @param data The data for the request.
-   * @param data.dagId
    * @param data.limit
    * @param data.offset
    * @param data.orderBy
+   * @param data.dagId
    * @param data.taskId
    * @param data.runId
    * @param data.mapIndex
@@ -1953,10 +1947,10 @@ export class EventLogService {
       method: "GET",
       url: "/public/eventLogs",
       query: {
-        dag_id: data.dagId,
         limit: data.limit,
         offset: data.offset,
         order_by: data.orderBy,
+        dag_id: data.dagId,
         task_id: data.taskId,
         run_id: data.runId,
         map_index: data.mapIndex,