Skip to content

Fix ApprovalOperator with SimpleAuthManager when all_admins=True #59399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TempestShaw wants to merge 55 commits into
base: main
Choose a base branch
from
Open

Fix ApprovalOperator with SimpleAuthManager when all_admins=True #59399

TempestShaw wants to merge 55 commits into from
+5,522 −680

Conversation

@TempestShaw
Copy link

@TempestShaw TempestShaw commented Dec 14, 2025

Fixes #59348. Added is_allowed() method to BaseAuthManager and all
implementations to properly delegate HITL permission checks.

  • SimpleAuthManager: Returns True when simple_auth_manager_all_admins=True
  • Other managers: Check if user is in assigned_users list
  • Updated hitl.py to use auth manager's is_allowed() method

@TempestShaw
Fix ApprovalOperator with SimpleAuthManager when all_admins=True
912bf27 
  Fixes apache#59348. Added is_allowed() method to BaseAuthManager and all
  implementations to properly delegate HITL permission checks.

  - SimpleAuthManager: Returns True when simple_auth_manager_all_admins=True
  - Other managers: Check if user is in assigned_users list
  - Updated hitl.py to use auth manager's is_allowed() method

Remove duplicate import
@boring-cyborg
Copy link

boring-cyborg bot commented Dec 14, 2025

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: [email protected]
    Slack: https://s.apache.org/airflow-slack

jason810496
jason810496 reviewed Dec 14, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for the fix and it LGTM overall.

@jason810496 jason810496 requested a review from Lee-W December 14, 2025 10:20
jason810496
jason810496 reviewed Dec 15, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update!

Also that is a new functionality and some thinking on how we communicatee it (newsfragment) and what should be default behaviour for Auth Managers that do not implement it should be.

It would be nice to add the 59399.feature.rst newsfragment from airflow-core/newsfragments/template.significant.rst template.

Thanks!

@TempestShaw
Copy link
Author

TempestShaw commented Dec 15, 2025

Thanks, will do after a long haul flight.

vincbeck
vincbeck reviewed Dec 15, 2025
View reviewed changes
@vincbeck
Copy link
Contributor

vincbeck commented Dec 15, 2025

Some comments but the overall direction is good I think

@vincbeck
Copy link
Contributor

vincbeck commented Dec 15, 2025

Please also update documentation to mention this new API in Authorization related methods section

@TempestShaw
Refactor is_authorized_hitl_task signature
af780b0 
- Update method to use keyword-only parameters
- Take full user object instead of just user_id
- Add unit tests for BaseAuthManager and SimpleAuthManager
- Update hitl.py call site to match new signature
Lee-W
Lee-W reviewed Dec 16, 2025
View reviewed changes
Copy link
Member

@Lee-W Lee-W left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good. But would like to confirm with @vincbeck whether it's possible to have more than one user with the same ID (I guess not?) if so, should we use id, name pair to check instead

@potiuk
Copy link
Member

potiuk commented Dec 16, 2025

overall looks good. But would like to confirm with @vincbeck whether it's possible to have more than one user with the same ID (I guess not?) if so, should we use id, name pair to check instead

Nope. you can't. User_id uniquely identifies user in AuthManager.

@potiuk
Copy link
Member

potiuk commented Dec 16, 2025

Looks way better now :)

dabla and others added 12 commits December 24, 2025 09:29
@dabla @vincbeck @TempestShaw
Fix logout route in Keycloak provider so a KeycloakostError doesn't l…
b370071 
…ead to Internal Server Error in API server (apache#59382)

* refactor: Fix logout route in Keycloak provider also so the KeycloakPostError doesn't propagate to API server also which leads to Internal Server Error

* refactor: Fixed static checks

* refactor: Fixed refresh_token invocations

* refactor: Must call refresh_user in refresh route

* refactor: refresh_token must always return a dict

* refactor: Added test when keycloak client raises KeycloakPostError when refresh_token is being invoked in logout route

* refactor: Fixed some additional static checks

* refactor: Refactored refresh_user

* refactor: Reformatted imports

* refactor: Fixed mocking in refresh test

* refactor: Removed unused mocking of keycloak client in test_refresh_token

* refactor: Fixed mock get_auth_manager and added missing import KeycloakAuthManagerUser

* refactor: Refresh token route calls refresh_user instead of refresh_token

* refactor: Changed assert on refresh user

* Update providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py

Co-authored-by: Vincent <[email protected]>

* refactor: Fixed calls to refresh_tokens instead of refresh_token

---------

Co-authored-by: Vincent <[email protected]>
@nhuantho @TempestShaw
Fix message of _read_from_logs_server when status_code is 403 (apache…
ff2cd96 
…#59489)

Co-authored-by: nhuan.bc <[email protected]>
@Dev-iL @TempestShaw
scheduler test: filter captured messages to skip SQLA debug logs (apa…
4f53a80 
…che#59493)

This change is needed for compatibility (i.e. stop the test from failing) with the `SQLALCHEMY_ENGINE_DEBUG` flag.
@pierrejeambrun @TempestShaw
Fix Theme Configs (apache#59473)
b79d083
@choo121600 @TempestShaw
Add translation for version compare selection placeholder (apache#59346)
f4c6854
@nailo2c @TempestShaw
Fix KubernetesPodOperator deferrable mode with env-defined connecti…
5aaf855 
…on (apache#41706) (apache#58841)

* Fix AsyncKubernetesHook when Kubernetes connection is missing (apache#41706)

* fix CI error

* fix CI error apache#2

* Rename `conn_extras` to `connection_extras` for consistency across Kubernetes hooks and operators

* Handle AirflowNotFoundException when resolving connection extras in KubernetesPodOperator
@TempestShaw
Fix ApprovalOperator with SimpleAuthManager when all_admins=True
b165f10 
  Fixes apache#59348. Added is_allowed() method to BaseAuthManager and all
  implementations to properly delegate HITL permission checks.

  - SimpleAuthManager: Returns True when simple_auth_manager_all_admins=True
  - Other managers: Check if user is in assigned_users list
  - Updated hitl.py to use auth manager's is_allowed() method

Remove duplicate import
@TempestShaw
Refactor HITL authorization methods across auth managers to improve c…
5c9e85c 
…onsistency and remove redundant code
@TempestShaw
Refactor is_authorized_hitl_task signature
2a0aa68 
- Update method to use keyword-only parameters
- Take full user object instead of just user_id
- Add unit tests for BaseAuthManager and SimpleAuthManager
- Update hitl.py call site to match new signature
@TempestShaw @vincbeck
Update airflow-core/newsfragments/59399.feature.rst
6e4744f 
Co-authored-by: Vincent <[email protected]>
@TempestShaw
Clarify is_authorized_hitl_task method documentation to specify custo…
17d3bb7 
…m authorization logic for HITL tasks
@TempestShaw
modify documentation for is_authorized_hitl_task method
65f58ed
@TempestShaw
Copy link
Author

TempestShaw commented Dec 24, 2025

Hey @TempestShaw , I think we're close to merging this one. Could you please help us resolve the remaining comments and conflicts? Thanks!

@Lee-W Hi! I rebased fix-hitl-auth onto main to keep it up to date, which automatically triggered additional review requests.
Just wanted to check if this rebase looks correct. Thanks!

jason810496
jason810496 reviewed Dec 24, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lee-W Hi! I rebased fix-hitl-auth onto main to keep it up to date, which automatically triggered additional review requests.
Just wanted to check if this rebase looks correct. Thanks!

Thanks for the rebase. We still need to resolve the conflicts again. Thanks!

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@uranusjr uranusjr uranusjr left review comments

@jason810496 jason810496 jason810496 left review comments

@vincbeck vincbeck vincbeck left review comments

@potiuk potiuk potiuk approved these changes

@Lee-W Lee-W Lee-W approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@o-nikolas o-nikolas Awaiting requested review from o-nikolas o-nikolas is a code owner

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh amoghrajesh is a code owner

@gopidesupavan gopidesupavan Awaiting requested review from gopidesupavan gopidesupavan is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

@dstandish dstandish Awaiting requested review from dstandish dstandish is a code owner

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@mobuchowski mobuchowski Awaiting requested review from mobuchowski mobuchowski is a code owner

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

@sekikn sekikn Awaiting requested review from sekikn sekikn is a code owner

@vatsrahul1001 vatsrahul1001 Awaiting requested review from vatsrahul1001 vatsrahul1001 is a code owner

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@guan404ming guan404ming Awaiting requested review from guan404ming guan404ming is a code owner

@XD-DENG XD-DENG Awaiting requested review from XD-DENG XD-DENG is a code owner

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API area:providers provider:amazon AWS/Amazon - related issues provider:fab provider:keycloak

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ApprovalOperator(assigned_users=...) unusable with SimpleAuthManager when simple_auth_manager_all_admins=True (no one can approve/reject)