From f4895079d5b35fa886bcfba69882783ba76b9f6c Mon Sep 17 00:00:00 2001 From: vincbeck Date: Wed, 16 Oct 2024 16:12:05 -0400 Subject: [PATCH 1/5] Remove `default` as auth backend --- airflow/api/__init__.py | 8 ++--- airflow/api/auth/backend/default.py | 42 ------------------------- airflow/config_templates/config.yml | 3 +- airflow/config_templates/unit_tests.cfg | 2 +- airflow/configuration.py | 5 +-- airflow/www/extensions/init_security.py | 8 ++--- newsfragments/43096.significant.rst | 1 + 7 files changed, 8 insertions(+), 61 deletions(-) delete mode 100644 airflow/api/auth/backend/default.py create mode 100644 newsfragments/43096.significant.rst diff --git a/airflow/api/__init__.py b/airflow/api/__init__.py index d0613bb651faa..10c1ce6cea3c3 100644 --- a/airflow/api/__init__.py +++ b/airflow/api/__init__.py @@ -23,18 +23,14 @@ from importlib import import_module from airflow.configuration import conf -from airflow.exceptions import AirflowConfigException, AirflowException +from airflow.exceptions import AirflowException log = logging.getLogger(__name__) def load_auth(): """Load authentication backends.""" - auth_backends = "airflow.api.auth.backend.default" - try: - auth_backends = conf.get("api", "auth_backends") - except AirflowConfigException: - pass + auth_backends = conf.get("api", "auth_backends") backends = [] try: diff --git a/airflow/api/auth/backend/default.py b/airflow/api/auth/backend/default.py deleted file mode 100644 index afe2c88f35f0c..0000000000000 --- a/airflow/api/auth/backend/default.py +++ /dev/null @@ -1,42 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -"""Default authentication backend - everything is allowed.""" - -from __future__ import annotations - -from functools import wraps -from typing import Any, Callable, TypeVar, cast - -CLIENT_AUTH: tuple[str, str] | Any | None = None - - -def init_app(_): - """Initialize authentication backend.""" - - -T = TypeVar("T", bound=Callable) - - -def requires_authentication(function: T): - """Decorate functions that require authentication.""" - - @wraps(function) - def decorated(*args, **kwargs): - return function(*args, **kwargs) - - return cast(T, decorated) diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index 0be77a3b6829a..311f651b754f2 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -1377,8 +1377,7 @@ api: description: | Comma separated list of auth backends to authenticate users of the API. See `Security: API - `__ for possible values. - ("airflow.api.auth.backend.default" allows all requests for historic reasons) + `__ for possible values version_added: 2.3.0 type: string example: ~ diff --git a/airflow/config_templates/unit_tests.cfg b/airflow/config_templates/unit_tests.cfg index 27134c7218215..35af93ee99ac3 100644 --- a/airflow/config_templates/unit_tests.cfg +++ b/airflow/config_templates/unit_tests.cfg @@ -71,7 +71,7 @@ celery_logging_level = INFO smtp_mail_from = airflow@example.com [api] -auth_backends = airflow.api.auth.backend.default +auth_backends = airflow.api.auth.backend.session [hive] # Hive uses the configuration below to run the tests diff --git a/airflow/configuration.py b/airflow/configuration.py index 81dc18365392e..0425cec0979fd 100644 --- a/airflow/configuration.py +++ b/airflow/configuration.py @@ -670,10 +670,7 @@ def _upgrade_auth_backends(self): This is required by the UI for ajax queries. """ old_value = self.get("api", "auth_backends", fallback="") - if old_value in ("airflow.api.auth.backend.default", ""): - # handled by deprecated_values - pass - elif old_value.find("airflow.api.auth.backend.session") == -1: + if old_value.find("airflow.api.auth.backend.session") == -1: new_value = old_value + ",airflow.api.auth.backend.session" self._update_env_var(section="api", name="auth_backends", new_value=new_value) self.upgraded_values[("api", "auth_backends")] = old_value diff --git a/airflow/www/extensions/init_security.py b/airflow/www/extensions/init_security.py index 28e96a06ca859..76b2944c47b18 100644 --- a/airflow/www/extensions/init_security.py +++ b/airflow/www/extensions/init_security.py @@ -20,7 +20,7 @@ from importlib import import_module from airflow.configuration import conf -from airflow.exceptions import AirflowConfigException, AirflowException +from airflow.exceptions import AirflowException log = logging.getLogger(__name__) @@ -46,11 +46,7 @@ def apply_caching(response): def init_api_auth(app): """Load authentication backends.""" - auth_backends = "airflow.api.auth.backend.default" - try: - auth_backends = conf.get("api", "auth_backends") - except AirflowConfigException: - pass + auth_backends = conf.get("api", "auth_backends") app.api_auth = [] try: diff --git a/newsfragments/43096.significant.rst b/newsfragments/43096.significant.rst new file mode 100644 index 0000000000000..b252e39916c03 --- /dev/null +++ b/newsfragments/43096.significant.rst @@ -0,0 +1 @@ +Removed auth backend ``airflow.api.auth.backend.default`` From 6f6d0f5302c246bff55165cb4de0615d3d677a08 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Wed, 16 Oct 2024 17:16:34 -0400 Subject: [PATCH 2/5] Fix tests --- tests_common/pytest_plugin.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests_common/pytest_plugin.py b/tests_common/pytest_plugin.py index f2dab17b2dddb..498284e9e6d19 100644 --- a/tests_common/pytest_plugin.py +++ b/tests_common/pytest_plugin.py @@ -1414,7 +1414,12 @@ def clean_dags_and_dagruns(): def app(): from tests_common.test_utils.config import conf_vars - with conf_vars({("fab", "auth_rate_limited"): "False"}): + with conf_vars( + { + ("fab", "auth_rate_limited"): "False", + ("api", "auth_backends"): "airflow.providers.fab.auth_manager.api.auth.backend.session", + } + ): from airflow.www import app yield app.create_app(testing=True) From e777cc43e6e4eb9f997c2b2dd02a453b703a92c2 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Thu, 17 Oct 2024 10:46:07 -0400 Subject: [PATCH 3/5] Fix tests --- airflow/config_templates/config.yml | 2 +- airflow/config_templates/unit_tests.cfg | 2 +- airflow/configuration.py | 7 +++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index 311f651b754f2..b7c810cfe5164 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -1381,7 +1381,7 @@ api: version_added: 2.3.0 type: string example: ~ - default: "airflow.api.auth.backend.session" + default: "airflow.providers.fab.auth_manager.api.auth.backend.session" maximum_page_limit: description: | Used to set the maximum page limit for API requests. If limit passed as param diff --git a/airflow/config_templates/unit_tests.cfg b/airflow/config_templates/unit_tests.cfg index 35af93ee99ac3..b29c642afe77f 100644 --- a/airflow/config_templates/unit_tests.cfg +++ b/airflow/config_templates/unit_tests.cfg @@ -71,7 +71,7 @@ celery_logging_level = INFO smtp_mail_from = airflow@example.com [api] -auth_backends = airflow.api.auth.backend.session +auth_backends = airflow.providers.fab.auth_manager.api.auth.backend.session [hive] # Hive uses the configuration below to run the tests diff --git a/airflow/configuration.py b/airflow/configuration.py index 0425cec0979fd..e59b5b5e9ec10 100644 --- a/airflow/configuration.py +++ b/airflow/configuration.py @@ -670,8 +670,11 @@ def _upgrade_auth_backends(self): This is required by the UI for ajax queries. """ old_value = self.get("api", "auth_backends", fallback="") - if old_value.find("airflow.api.auth.backend.session") == -1: - new_value = old_value + ",airflow.api.auth.backend.session" + if ( + old_value.find("airflow.api.auth.backend.session") == -1 + and old_value.find("airflow.providers.fab.auth_manager.api.auth.backend.session") == -1 + ): + new_value = old_value + ",airflow.providers.fab.auth_manager.api.auth.backend.session" self._update_env_var(section="api", name="auth_backends", new_value=new_value) self.upgraded_values[("api", "auth_backends")] = old_value From a9e4e645c3d249b45b4bdca17bef3b1b6fcc1201 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Thu, 17 Oct 2024 10:47:24 -0400 Subject: [PATCH 4/5] Misc --- tests_common/pytest_plugin.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tests_common/pytest_plugin.py b/tests_common/pytest_plugin.py index 498284e9e6d19..f2dab17b2dddb 100644 --- a/tests_common/pytest_plugin.py +++ b/tests_common/pytest_plugin.py @@ -1414,12 +1414,7 @@ def clean_dags_and_dagruns(): def app(): from tests_common.test_utils.config import conf_vars - with conf_vars( - { - ("fab", "auth_rate_limited"): "False", - ("api", "auth_backends"): "airflow.providers.fab.auth_manager.api.auth.backend.session", - } - ): + with conf_vars({("fab", "auth_rate_limited"): "False"}): from airflow.www import app yield app.create_app(testing=True) From ac4de41d76a08cbaa70cca1a2a1c8c229d7a5da8 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Thu, 17 Oct 2024 11:35:25 -0400 Subject: [PATCH 5/5] Fix tests --- tests/core/test_configuration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/core/test_configuration.py b/tests/core/test_configuration.py index 20109c6cd29b7..096b55e0f8e6f 100644 --- a/tests/core/test_configuration.py +++ b/tests/core/test_configuration.py @@ -664,7 +664,7 @@ def test_auth_backends_adds_session(self): test_conf.validate() assert ( test_conf.get("api", "auth_backends") - == "airflow.providers.fab.auth_manager.api.auth.backend.basic_auth,airflow.api.auth.backend.session" + == "airflow.providers.fab.auth_manager.api.auth.backend.basic_auth,airflow.providers.fab.auth_manager.api.auth.backend.session" ) def test_command_from_env(self):