refactor: cleanups

sweb · sweb · commit cd5d7d5ba46b · 2026-05-28T12:54:10.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,7 +24,7 @@ All notable changes to this project will be documented in this file.
 - vector: Look for SBOM in correct location ([#1471]).
 - vector: Use correct license ([#1476]).
 - trino: Build a patched Airlift from source and depend on it to backport [airlift/airlift#1943](https://github.com/airlift/airlift/pull/1943), applying the configured max response header size to Jetty's `maxResponseHeaderSize` ([#1510]).
-- airflow: Route DAG listings and menu items through OPA in the Airflow 3 OPA auth manager, and wire the OPA cache on the FastAPI api-server init path ([#XXXX]).
+- airflow: Route DAG listings and menu items through OPA in the Airflow 3 OPA auth manager, and wire the OPA cache on the FastAPI api-server init path ([#1512]).
 
 ### Removed
 
@@ -43,6 +43,7 @@ All notable changes to this project will be documented in this file.
 [#1493]: https://github.com/stackabletech/docker-images/pull/1493
 [#1509]: https://github.com/stackabletech/docker-images/pull/1509
 [#1510]: https://github.com/stackabletech/docker-images/pull/1510
+[#1512]: https://github.com/stackabletech/docker-images/pull/1512
 
 ## [26.3.0] - 2026-03-16
 
diff --git a/airflow/opa-auth-manager/airflow-3/opa_auth_manager/opa_fab_auth_manager.py b/airflow/opa-auth-manager/airflow-3/opa_auth_manager/opa_fab_auth_manager.py
@@ -103,14 +103,16 @@ def _init_opa_resources(self) -> None:
         """
         Set up the OPA cache and HTTP session.
 
-        Idempotent so it can be called from both ``init`` (FastAPI api-server)
-        and ``init_flask_resources`` (Flask AppBuilder) — only one of the two
-        runs depending on the Airflow component.
+        Called from both ``init`` (FastAPI api-server) and
+        ``init_flask_resources`` (Flask AppBuilder). In Airflow 3 both run
+        during a single api-server startup but on *different*
+        OpaFabAuthManager instances — ``init_appbuilder`` calls
+        ``create_auth_manager()`` again, which constructs a fresh instance.
+        The api-server instance is reachable via
+        ``request.app.state.auth_manager``; the FAB instance is returned by
+        ``get_auth_manager()``. Both need their own cache and session.
         """
 
-        if getattr(self, "opa_cache", None) is not None:
-            return
-
         Stats.incr(METRIC_NAME_OPA_CACHE_LIMIT_REACHED, count=0)
 
         self.opa_cache = Cache(
@@ -590,11 +592,18 @@ def get_authorized_dag_ids(
         # FabAuthManager's implementation consults the user's FAB DB role
         # permissions and bypasses is_authorized_dag entirely, which makes any
         # user without a FAB role (e.g. the default Public role) see an empty
-        # DAG list even when OPA would allow them. Re-implement the
-        # BaseAuthManager default: list all DAG ids and filter them via
-        # is_authorized_dag → OPA.
+        # DAG list even when OPA would allow them. List all DAG ids and filter
+        # them via is_authorized_dag → OPA directly, without going through
+        # filter_authorized_dag_ids — the Fab base class may add a DB-backed
+        # override of that method in the future.
         dag_ids = {dag.dag_id for dag in session.execute(select(DagModel.dag_id))}
-        return self.filter_authorized_dag_ids(dag_ids=dag_ids, method=method, user=user)
+        return {
+            dag_id
+            for dag_id in dag_ids
+            if self.is_authorized_dag(
+                method=method, details=DagDetails(id=dag_id), user=user
+            )
+        }
 
     @override
     def filter_authorized_menu_items(
diff --git a/airflow/opa-auth-manager/airflow-3/tests/test_opa_fab_auth_manager.py b/airflow/opa-auth-manager/airflow-3/tests/test_opa_fab_auth_manager.py
@@ -389,6 +389,23 @@ def test_filter_authorized_menu_items_routes_through_opa(
         )
         assert denied == []
 
+    def test_filter_authorized_menu_items_denies_unknown(
+        self, auth_manager_with_appbuilder, mock_opa
+    ):
+        # A MenuItem value not handled by _is_menu_item_authorized (e.g. one
+        # introduced in a future Airflow version) must fail closed: denied
+        # without consulting OPA, so a new UI surface isn't silently exposed
+        # before the dispatch table is updated.
+        unknown = Mock(spec=MenuItem)
+        unknown.name = "FUTURE_THING"
+
+        result = auth_manager_with_appbuilder.filter_authorized_menu_items(
+            [unknown], user=_make_user()
+        )
+
+        assert result == []
+        assert mock_opa.calls == []
+
     def test_filter_authorized_menu_items_preserves_order_and_filters(
         self, auth_manager_with_appbuilder, mock_opa
     ):
