From b7a7fd66d693dbfbc471a6d08bc274441ee4841c Mon Sep 17 00:00:00 2001
From: Thomas Brockmeier <thomas.brockmeier@qnh.nl>
Date: Tue, 4 Dec 2018 15:16:50 +0100
Subject: [PATCH 1/4] [AIRFLOW-1552] - Query PasswordUser on password login

---
 .../contrib/auth/backends/password_auth.py    |  8 +---
 .../41f5f12752f8_add_superuser_field.py       | 43 +++++++++++++++++++
 airflow/models.py                             |  2 +-
 3 files changed, 46 insertions(+), 7 deletions(-)
 create mode 100644 airflow/migrations/versions/41f5f12752f8_add_superuser_field.py

diff --git a/airflow/contrib/auth/backends/password_auth.py b/airflow/contrib/auth/backends/password_auth.py
index 55f5daf8fdf76..d0dfebd6590d9 100644
--- a/airflow/contrib/auth/backends/password_auth.py
+++ b/airflow/contrib/auth/backends/password_auth.py
@@ -94,10 +94,6 @@ def data_profiling(self):
         """Provides access to data profiling tools"""
         return True
 
-    def is_superuser(self):
-        """Access all the things"""
-        return True
-
 
 @login_manager.user_loader
 @provide_session
@@ -106,8 +102,8 @@ def load_user(userid, session=None):
     if not userid or userid == 'None':
         return None
 
-    user = session.query(models.User).filter(models.User.id == int(userid)).first()
-    return PasswordUser(user)
+    user = session.query(PasswordUser).filter(PasswordUser.id == int(userid)).first()
+    return user
 
 
 def authenticate(session, username, password):
diff --git a/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py b/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py
new file mode 100644
index 0000000000000..c7c19640068d0
--- /dev/null
+++ b/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py
@@ -0,0 +1,43 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""empty message
+
+Revision ID: 41f5f12752f8
+Revises: 03bc53e68815
+Create Date: 2018-12-04 15:50:04.456875
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '41f5f12752f8'
+down_revision = '03bc53e68815'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.add_column('users', sa.Column('superuser', sa.Boolean(), default=False))
+
+
+def downgrade():
+    op.drop_column('users', 'superuser')
diff --git a/airflow/models.py b/airflow/models.py
index 1bca27cbc8192..a6d0ebbd73e28 100755
--- a/airflow/models.py
+++ b/airflow/models.py
@@ -601,7 +601,7 @@ class User(Base):
     id = Column(Integer, primary_key=True)
     username = Column(String(ID_LEN), unique=True)
     email = Column(String(500))
-    superuser = False
+    superuser = Column(Boolean(), default=False)
 
     def __repr__(self):
         return self.username

From 43e8865151c98b4c344f32e543f7d82c1f960029 Mon Sep 17 00:00:00 2001
From: Thomas Brockmeier <thomas.brockmeier@qnh.nl>
Date: Wed, 5 Dec 2018 10:27:47 +0100
Subject: [PATCH 2/4] [AIRFLOW-1552] Airflow Filter_by_owner not working with
 password_auth

Querying on PasswordUser may break API. Query on User and cast to
PasswordUser like before, but now check against `password_user_instance.user.superuser`
---
 airflow/contrib/auth/backends/password_auth.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/airflow/contrib/auth/backends/password_auth.py b/airflow/contrib/auth/backends/password_auth.py
index d0dfebd6590d9..dcdb1d1225d42 100644
--- a/airflow/contrib/auth/backends/password_auth.py
+++ b/airflow/contrib/auth/backends/password_auth.py
@@ -94,6 +94,9 @@ def data_profiling(self):
         """Provides access to data profiling tools"""
         return True
 
+    def is_superuser(self):
+        return hasattr(self, 'user') and self.user.is_superuser()
+
 
 @login_manager.user_loader
 @provide_session
@@ -102,8 +105,8 @@ def load_user(userid, session=None):
     if not userid or userid == 'None':
         return None
 
-    user = session.query(PasswordUser).filter(PasswordUser.id == int(userid)).first()
-    return user
+    user = session.query(models.User).filter(models.User.id == int(userid)).first()
+    return PasswordUser(user)
 
 
 def authenticate(session, username, password):

From 2a9c0d0a485af8c4d64063a73519044e9476a3f8 Mon Sep 17 00:00:00 2001
From: thomasbrockmeier <thomas.brockmeier@gmail.com>
Date: Thu, 6 Dec 2018 14:37:18 +0100
Subject: [PATCH 3/4] [AIRFLOW-1552] Airflow Filter_by_owner not working with
 password_auth

Add note to UPDATING.md
---
 UPDATING.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/UPDATING.md b/UPDATING.md
index 88dc78c810d2d..a425f731ea269 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -76,6 +76,25 @@ To delete a user:
 airflow users --delete --username jondoe
 ```
 
+### User model changes
+This patch changes the `User.superuser` field from a hardcoded boolean to a `Boolean()` database column. `User.superuser` will default to `False`, which means that this privilege will have to be granted manually to any users that may require it.
+
+For example, open a Python shell and
+```python
+from airflow import models, settings
+
+session = settings.Session()
+users = session.query(models.User).all()  # [admin, regular_user]
+
+users[1].superuser  # False
+
+admin = users[0]
+admin.superuser = True
+session.add(admin)
+session.commit()
+
+```
+
 ## Airflow 1.10.1
 
 ### StatsD Metrics

From 78bedc630a773278016315b73de711fe08bbde43 Mon Sep 17 00:00:00 2001
From: thomasbrockmeier <thomas.brockmeier@gmail.com>
Date: Mon, 10 Dec 2018 14:08:50 +0100
Subject: [PATCH 4/4] [AIRFLOW-1552] Add migration description

---
 UPDATING.md                                                    | 1 -
 .../migrations/versions/41f5f12752f8_add_superuser_field.py    | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index a425f731ea269..814e2e107dc0c 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -92,7 +92,6 @@ admin = users[0]
 admin.superuser = True
 session.add(admin)
 session.commit()
-
 ```
 
 ## Airflow 1.10.1
diff --git a/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py b/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py
index c7c19640068d0..6e02582b7e840 100644
--- a/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py
+++ b/airflow/migrations/versions/41f5f12752f8_add_superuser_field.py
@@ -1,4 +1,3 @@
-#
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
@@ -16,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-"""empty message
+"""add superuser field
 
 Revision ID: 41f5f12752f8
 Revises: 03bc53e68815