Add IMPORT_ERRORS_ALL permission for import errors of files with no registered Dag#69790
Open
potiuk wants to merge 1 commit into
Open
Add IMPORT_ERRORS_ALL permission for import errors of files with no registered Dag#69790potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
…egistered Dag The Import Errors API authorizes each error per Dag defined in its file. Files with no registered Dag have no per-Dag key to authorize on. Gate the raw stack trace for those files on a dedicated, admin-by-default IMPORT_ERRORS_ALL view, scoped per team via the file's bundle where the auth manager supports multi-team isolation, and redact it for callers without the permission on both the list and single endpoints. Closes: apache#67461 Generated-by: Claude Opus 4.8 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
Member
Author
|
@vincbeck — you'd offered to pick up #67461, so heads-up that I went ahead and implemented it here. Would you mind reviewing when you get a chance? Particularly keen on your read of the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Import errors are authorized per Dag defined in the file. Files with no registered Dag (parse failed before any Dag was defined, or all Dags removed) have no per-Dag key to authorize on. This adds a dedicated
IMPORT_ERRORS_ALLview -- admin-granted by default, scoped per team via the file's bundle where the auth manager supports multi-team isolation -- and gates such files on it: callers without the permission are denied those import errors (403on the single endpoint; excluded from the list endpoint) instead of receiving the raw stack trace.Implements #67461.
AccessView.IMPORT_ERRORS_ALL.is_authorized_view_for_teammethod that defaults tois_authorized_view, so auth managers that do not implement it (including out-of-tree ones) keep working unchanged. The simple and Keycloak managers override it to enforce team scoping; the FAB manager grants the new permission toAdminby default.total_entriesso their existence does not surface.Tests
test_import_error.py-- with the permission the raw stack trace is returned; without it the single endpoint returns403and the list endpoint omits the rows; team scoping is honored; no query-count regression.test_base_auth_manager.py--is_authorized_view_for_teamfalls back tois_authorized_viewby default.Was generative AI tooling used to co-author this PR?
Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions