Airflow graceful loading for plugins for users without read permissions #52408
Conversation
tanujdargan
requested review from
bbovenzi,
bugraoz93,
ephraimbuddy,
jason810496,
jscheffl,
pierrejeambrun,
rawwar,
ryanahamilton and
shubhamraj-git
as code owners
boring-cyborg
bot
added
area:API
jason810496
left a comment
jason810496
left a comment
There was a problem hiding this comment.
Nice! Thanks for raising the PR.
| dependencies=[Depends(requires_authenticated())], | ||
| ) | ||
| def get_configs() -> ConfigResponse: | ||
| async def get_configs(user: GetUserDep) -> ConfigResponse: |
There was a problem hiding this comment.
Why do we need to change this router to async ?
There was a problem hiding this comment.
get_config depends on GetUserDep which is async and as per FastAPI rule: any route function that calls an async dependency must also be async.
and, the previous implementation allowed any authenticated user to see all UI plugins, which was a security issue. My PR fixes this by correctly checking the user's permissions for each plugin before displaying it. While the default Viewer role in the documentation is shown to have plugin access, my change ensures the system properly enforces whatever permissions are actually configured. So, if a Viewer has no plugin permissions, they will no longer see any plugin menu items."
There was a problem hiding this comment.
get_config depends on GetUserDep which is async and as per FastAPI rule: any route function that calls an async dependency must also be async.
Where do you get this information from ? I tend to think that it does not matter and this is confirmed by FastAPI documentation:
https://fastapi.tiangolo.com/tutorial/dependencies/#to-async-or-not-to-async
| auth_manager = get_auth_manager() | ||
| authorized_plugins = [] | ||
| if plugins_manager.external_views: | ||
| for view in plugins_manager.external_views: | ||
| if auth_manager.is_authorized_custom_view(method="GET", resource_name=view["name"], user=user): | ||
| authorized_plugins.append(view) |
There was a problem hiding this comment.
Do we need to doc the #51714 (review) comment here to describe the logic ?
There was a problem hiding this comment.
I think we are mixing things up. Why would plugin permissions be in the auth manger custom views permissions? Those are not related, permissions to access plugins is AccessView.PLUGINS.
Also we assume that this subpart of the plugins (external views in the nav) are public, so everybody can load the UI or access it.
| from tests_common.test_utils.config import conf_vars | ||
|
|
||
| pytestmark = pytest.mark.db_test | ||
| pytestmark = [pytest.mark.db_test, pytest.mark.mock_plugin_manager(plugins=[])] |
There was a problem hiding this comment.
How about we don't mock the plugin manager return an empty list. Let's make the external_views return some views that belongs to nav and some are not belongs to nav to ensure the implementaion in router.
There was a problem hiding this comment.
I agree, just pushed a fix for this! f41d1c9
| // Only show external plugins in menu if there are more than 2 | ||
| const menuExternalViews = menuPlugins.length > 2 ? menuPlugins : []; | ||
| const directExternalViews = menuPlugins.length <= 2 ? menuPlugins : []; |
There was a problem hiding this comment.
Did we lose the code to consolidate plugin views into a menu when there are many of them?
There was a problem hiding this comment.
The current logic does seem to replace the more granular is_menu_item flag-based separation with a hard cutoff at 2 items:
This effectively overrides the earlier logic that distinguishes between menuExternalViews and directExternalViews using the is_menu_item property. If we previously consolidated plugins into a dropdown based on that flag (rather than count), this could be a regression or unintentional change.
Should I revert to using is_menu_item to preserve expected grouping behaviour?
There was a problem hiding this comment.
Yeah, this PR shouldn't change how we actually show plugins in the nav bar.
pierrejeambrun
left a comment
pierrejeambrun
left a comment
There was a problem hiding this comment.
A few suggestions / comments.
| config = {key: conf.get("api", key) for key in API_CONFIG_KEYS} | ||
|
|
||
| task_log_reader = TaskLogReader() | ||
| plugins_manager.initialize_ui_plugins() |
There was a problem hiding this comment.
You do not need to do that, this is done at the init of the FastAPI app, can you remove it?
| dependencies=[Depends(requires_authenticated())], | ||
| ) | ||
| def get_configs() -> ConfigResponse: | ||
| async def get_configs(user: GetUserDep) -> ConfigResponse: |
There was a problem hiding this comment.
get_config depends on GetUserDep which is async and as per FastAPI rule: any route function that calls an async dependency must also be async.
Where do you get this information from ? I tend to think that it does not matter and this is confirmed by FastAPI documentation:
https://fastapi.tiangolo.com/tutorial/dependencies/#to-async-or-not-to-async
| auth_manager = get_auth_manager() | ||
| authorized_plugins = [] | ||
| if plugins_manager.external_views: | ||
| for view in plugins_manager.external_views: | ||
| if auth_manager.is_authorized_custom_view(method="GET", resource_name=view["name"], user=user): | ||
| authorized_plugins.append(view) |
There was a problem hiding this comment.
I think we are mixing things up. Why would plugin permissions be in the auth manger custom views permissions? Those are not related, permissions to access plugins is AccessView.PLUGINS.
Also we assume that this subpart of the plugins (external views in the nav) are public, so everybody can load the UI or access it.
|
|
||
| # First, we check which of the available external plugin views the current user is authorized to see. | ||
| auth_manager = get_auth_manager() | ||
| authorized_plugins = [] |
There was a problem hiding this comment.
I think we should rename this, those are external_views, not plugins.
| const menuPlugins = (useConfig("plugins_extra_menu_items") as Array<ExternalViewResponse>) ?? []; | ||
|
|
There was a problem hiding this comment.
We shouldn't need a hard casting like that. "as"
| const directExternalViews = menuPlugins.filter((p: ExternalViewResponse) => !p.is_menu_item); | ||
| const menuExternalViews = menuPlugins.filter((p: ExternalViewResponse) => p.is_menu_item); |
There was a problem hiding this comment.
I don't understand what's going on here. What is is_menu_item attribute, that does not exist.
|
|
||
| class TestGetConfig: | ||
| @pytest.mark.mock_plugin_manager(plugins=[]) | ||
| class TestGetConfigWithNoPlugins: |
There was a problem hiding this comment.
1 class per endpoint. Multiple method for different test cases. We shouldn't have two classes there.
|
Also, just an idea, but maybe we can handle that simply in the UI. Call the endoint if 403 forbidden -> instead of crashing everything, catch the error and return an empty plugin list, then the UI will proceed ignoring the plugins. Because mixing up the |
There was a problem hiding this comment.
+1 to Pierre's comment to keep the plugins endpoint and just handle a 403 better.
Marking as changes requested because there is a lot of hallucinated AI code in this PR that needs to be corrected. Please review your AI generated code before opening a PR. Otherwise it forces code reviewers to do your work for you.
4 participants
Fixes: #51299 - Impossible to load UI if user does not have read permissions on plugins
Summary
This PR ensures the Airflow UI loads gracefully for authenticated users who do not have read permissions on plugins.
Details
routes/ui/config.pyto safely handle cases whereplugins_manager.flask_appbuilder_menu_linksisNone, preventing 403 errors from blocking the UI.plugins_extra_menu_itemsattribute in the UI config endpoint, so all authenticated users can see them, regardless of direct plugin permissions.public/providersendpoint for these menu items.Context
Previously, users without read permissions on plugins would receive a 403 Forbidden error, causing the entire UI to fail rendering. With this fix, the UI continues to render and display default elements, and plugin menu items are provided in a way accessible to all authenticated users.
Closes #51299.