apache · vincbeck · Oct 17, 2023 · Sep 12, 2023 · Sep 13, 2023 · Sep 13, 2023
diff --git a/airflow/api_connexion/endpoints/forward_to_fab_endpoint.py b/airflow/api_connexion/endpoints/forward_to_fab_endpoint.py
@@ -0,0 +1,124 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+import warnings
+from typing import TYPE_CHECKING
+
+from airflow.api_connexion.exceptions import BadRequest
+from airflow.auth.managers.fab.api_endpoints import role_and_permission_endpoint, user_endpoint
+from airflow.www.extensions.init_auth_manager import get_auth_manager
+
+if TYPE_CHECKING:
+    from typing import Callable
+
+    from airflow.api_connexion.types import APIResponse
+
+
+def _require_fab(func: Callable) -> Callable:
+    """
+    Raise an HTTP error 400 if the provider is not FAB.
+
+    Intended to decorate endpoints that have been migrated from Airflow API to FAB API.
+    """
+
+    def inner(*args, **kwargs):
+        from airflow.auth.managers.fab.fab_auth_manager import FabAuthManager
+
+        auth_mgr = get_auth_manager()
+        if not isinstance(auth_mgr, FabAuthManager):
+            raise BadRequest(detail="This endpoint is only available when using the default auth manager.")
+        else:
+            warnings.warn(
+                "This API endpoint is deprecated. "
+                "Please use the API under /auth/fab/v1 instead for this operation.",
+                DeprecationWarning,
+            )
+            return func(*args, **kwargs)
+
+    return inner
+
+
+### role
+
+
+@_require_fab
+def get_role(**kwargs) -> APIResponse:
+    """Get role."""
+    return role_and_permission_endpoint.get_role(**kwargs)
+
+
+@_require_fab
+def get_roles(**kwargs) -> APIResponse:
+    """Get roles."""
+    return role_and_permission_endpoint.get_roles(**kwargs)
+
+
+@_require_fab
+def delete_role(**kwargs) -> APIResponse:
+    """Delete a role."""
+    return role_and_permission_endpoint.delete_role(**kwargs)
+
+
+@_require_fab
+def patch_role(**kwargs) -> APIResponse:
+    """Update a role."""
+    return role_and_permission_endpoint.patch_role(**kwargs)
+
+
+@_require_fab
+def post_role(**kwargs) -> APIResponse:
+    """Create a new role."""
+    return role_and_permission_endpoint.post_role(**kwargs)
+
+
+### permissions
+@_require_fab
+def get_permissions(**kwargs) -> APIResponse:
+    """Get permissions."""
+    return role_and_permission_endpoint.get_permissions(**kwargs)
+
+
+### user
+@_require_fab
+def get_user(**kwargs) -> APIResponse:
+    """Get a user."""
+    return user_endpoint.get_user(**kwargs)
+
+
+@_require_fab
+def get_users(**kwargs) -> APIResponse:
+    """Get users."""
+    return user_endpoint.get_users(**kwargs)
+
+
+@_require_fab
+def post_user(**kwargs) -> APIResponse:
+    """Create a new user."""
+    return user_endpoint.post_user(**kwargs)
+
+
+@_require_fab
+def patch_user(**kwargs) -> APIResponse:
+    """Update a user."""
+    return user_endpoint.patch_user(**kwargs)
+
+
+@_require_fab
+def delete_user(**kwargs) -> APIResponse:
+    """Delete a user."""
+    return user_endpoint.delete_user(**kwargs)
diff --git a/airflow/api_connexion/openapi/v1.yaml b/airflow/api_connexion/openapi/v1.yaml
@@ -2112,12 +2112,13 @@ paths:
 
   /roles:
     get:
+      deprecated: true
       summary: List roles
       description: |
         Get a list of roles.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.role_and_permission_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: get_roles
       tags: [Role]
       parameters:
@@ -2137,12 +2138,13 @@ paths:
           $ref: '#/components/responses/PermissionDenied'
 
     post:
+      deprecated: true
       summary: Create a role
       description: |
         Create a new role.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.role_and_permission_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: post_role
       tags: [Role]
       requestBody:
@@ -2170,12 +2172,13 @@ paths:
       - $ref: '#/components/parameters/RoleName'
 
     get:
+      deprecated: true
       summary: Get a role
       description: |
         Get a role.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.role_and_permission_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: get_role
       tags: [Role]
       responses:
@@ -2193,12 +2196,13 @@ paths:
           $ref: '#/components/responses/NotFound'
 
     patch:
+      deprecated: true
       summary: Update a role
       description: |
         Update a role.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.role_and_permission_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: patch_role
       tags: [Role]
       parameters:
@@ -2227,12 +2231,13 @@ paths:
           $ref: '#/components/responses/NotFound'
 
     delete:
+      deprecated: true
       summary: Delete a role
       description: |
         Delete a role.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.role_and_permission_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: delete_role
       tags: [Role]
       responses:
@@ -2249,12 +2254,13 @@ paths:
 
   /permissions:
     get:
+      deprecated: true
       summary: List permissions
       description: |
         Get a list of permissions.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.role_and_permission_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: get_permissions
       tags: [Permission]
       parameters:
@@ -2274,12 +2280,13 @@ paths:
 
   /users:
     get:
+      deprecated: true
       summary: List users
       description: |
         Get a list of users.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.user_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: get_users
       tags: [User]
       parameters:
@@ -2299,12 +2306,13 @@ paths:
           $ref: '#/components/responses/PermissionDenied'
 
     post:
+      deprecated: true
       summary: Create a user
       description: |
         Create a new user with unique username and email.
 
         *New in version 2.2.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.user_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: post_user
       tags: [User]
       requestBody:
@@ -2333,12 +2341,13 @@ paths:
     parameters:
       - $ref: '#/components/parameters/Username'
     get:
+      deprecated: true
       summary: Get a user
       description: |
         Get a user with a specific username.
 
         *New in version 2.1.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.user_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: get_user
       tags: [User]
       responses:
@@ -2356,12 +2365,13 @@ paths:
           $ref: '#/components/responses/NotFound'
 
     patch:
+      deprecated: true
       summary: Update a user
       description: |
         Update fields for a user.
 
         *New in version 2.2.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.user_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: patch_user
       tags: [User]
       parameters:
@@ -2389,12 +2399,13 @@ paths:
           $ref: '#/components/responses/NotFound'
 
     delete:
+      deprecated: true
       summary: Delete a user
       description: |
         Delete a user with a specific username.
 
         *New in version 2.2.0*
-      x-openapi-router-controller: airflow.api_connexion.endpoints.user_endpoint
+      x-openapi-router-controller: airflow.api_connexion.endpoints.forward_to_fab_endpoint
       operationId: delete_user
       tags: [User]
       responses:

diff --git a/airflow/auth/managers/base_auth_manager.py b/airflow/auth/managers/base_auth_manager.py
@@ -24,7 +24,7 @@
 from airflow.utils.log.logging_mixin import LoggingMixin
 
 if TYPE_CHECKING:
-    from flask import Flask
+    from flask import Blueprint, Flask
 
     from airflow.auth.managers.models.base_user import BaseUser
     from airflow.cli.cli_config import CLICommand
@@ -50,6 +50,10 @@ def get_cli_commands() -> list[CLICommand]:
         """
         return []
 
+    def get_api_blueprint(self) -> None | Blueprint:
+        """Return a blueprint of the API endpoints proposed by this auth manager."""
+        return None
+
     @abstractmethod
     def get_user_name(self) -> str:
         """Return the username associated to the user in session."""

diff --git a/airflow/auth/managers/fab/api_endpoints/__init__.py b/airflow/auth/managers/fab/api_endpoints/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/...endpoints/role_and_permission_endpoint.py → ...endpoints/role_and_permission_endpoint.py b/...endpoints/role_and_permission_endpoint.py → ...endpoints/role_and_permission_endpoint.py
diff --git a/.../api_connexion/endpoints/user_endpoint.py → ...nagers/fab/api_endpoints/user_endpoint.py b/.../api_connexion/endpoints/user_endpoint.py → ...nagers/fab/api_endpoints/user_endpoint.py
diff --git a/airflow/auth/managers/fab/fab_auth_manager.py b/airflow/auth/managers/fab/fab_auth_manager.py
@@ -18,8 +18,11 @@
 from __future__ import annotations
 
 import warnings
+from pathlib import Path
 from typing import TYPE_CHECKING
 
+from connexion import FlaskApi
+
 from airflow.auth.managers.base_auth_manager import BaseAuthManager
 from airflow.auth.managers.fab.cli_commands.definition import (
     ROLES_COMMANDS,
@@ -29,9 +32,14 @@
 from airflow.cli.cli_config import (
     GroupCommand,
 )
+from airflow.configuration import conf
 from airflow.exceptions import AirflowException
+from airflow.utils.yaml import safe_load
+from airflow.www.extensions.init_views import _CustomErrorRequestBodyValidator, _LazyResolver
 
 if TYPE_CHECKING:
+    from flask import Blueprint
+
     from airflow.auth.managers.fab.models import User
     from airflow.cli.cli_config import (
         CLICommand,
@@ -62,6 +70,24 @@ def get_cli_commands() -> list[CLICommand]:
             SYNC_PERM_COMMAND,  # not in a command group
         ]
 
+    def get_api_blueprint(self) -> None | Blueprint:
+        """Return a blueprint of the API endpoints proposed by this auth manager."""
+        folder = Path(__file__).parents[0].resolve()  # this is airflow/auth/managers/fab/
+        with folder.joinpath("openapi", "v1.yaml").open() as f:
+            specification = safe_load(f)
+        api = FlaskApi(
+            specification=specification,
+            resolver=_LazyResolver(),
+            base_path="/auth/fab/v1",
+            options={
+                "swagger_ui": conf.getboolean("webserver", "enable_swagger_ui", fallback=True),
+            },
+            strict_validation=True,
+            validate_responses=True,
+            validator_map={"body": _CustomErrorRequestBodyValidator},
+        )
+        return api.blueprint
+
     def get_user_display_name(self) -> str:
         """Return the user's display name associated to the user in session."""
         user = self.get_user()