airflow 0084_2_1_0_resource_based_permissions_for_default_ 源码

  • 2022-10-20
  • 浏览 (478)

airflow 0084_2_1_0_resource_based_permissions_fordefault 代码

文件路径:/airflow/migrations/versions/0084_2_1_0_resource_based_permissions_fordefault.py

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
"""Resource based permissions for default ``Flask-AppBuilder`` views

Revision ID: a13f7613ad25
Revises: e165e7455d70
Create Date: 2021-03-20 21:23:05.793378

"""
from __future__ import annotations

import logging

from airflow.security import permissions
from airflow.www.app import cached_app

# revision identifiers, used by Alembic.
revision = 'a13f7613ad25'
down_revision = 'e165e7455d70'
branch_labels = None
depends_on = None
airflow_version = '2.1.0'


mapping = {
    ("PermissionModelView", "can_list"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_ACTION),
    ],
    ("PermissionViewModelView", "can_list"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_PERMISSION),
    ],
    ("ResetMyPasswordView", "can_this_form_get"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
    ],
    ("ResetMyPasswordView", "can_this_form_post"): [
        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PASSWORD),
    ],
    ("ResetPasswordView", "can_this_form_get"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
    ],
    ("ResetPasswordView", "can_this_form_post"): [
        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_PASSWORD),
    ],
    ("RoleModelView", "can_delete"): [
        (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_ROLE),
    ],
    ("RoleModelView", "can_download"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
    ],
    ("RoleModelView", "can_show"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
    ],
    ("RoleModelView", "can_list"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_ROLE),
    ],
    ("RoleModelView", "can_edit"): [
        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE),
    ],
    ("RoleModelView", "can_add"): [
        (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
    ],
    ("RoleModelView", "can_copyrole"): [
        (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_ROLE),
    ],
    ("ViewMenuModelView", "can_list"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_RESOURCE),
    ],
    ("UserDBModelView", "can_add"): [
        (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_RESOURCE),
    ],
    ("UserDBModelView", "can_userinfo"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserDBModelView", "can_download"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_RESOURCE),
    ],
    ("UserDBModelView", "can_show"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_RESOURCE),
    ],
    ("UserDBModelView", "can_list"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_RESOURCE),
    ],
    ("UserDBModelView", "can_edit"): [
        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_RESOURCE),
    ],
    ("UserDBModelView", "resetmypassword"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PASSWORD),
    ],
    ("UserDBModelView", "resetpasswords"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_PASSWORD),
    ],
    ("UserDBModelView", "userinfoedit"): [
        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserDBModelView", "can_delete"): [
        (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_RESOURCE),
    ],
    ("UserInfoEditView", "can_this_form_get"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserInfoEditView", "can_this_form_post"): [
        (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserStatsChartView", "can_chart"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_USER_STATS_CHART),
    ],
    ("UserLDAPModelView", "can_userinfo"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserOAuthModelView", "can_userinfo"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserOIDModelView", "can_userinfo"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
    ],
    ("UserRemoteUserModelView", "can_userinfo"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_MY_PROFILE),
    ],
    ("DagRunModelView", "can_clear"): [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
        (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_TASK_INSTANCE),
    ],
}


def remap_permissions():
    """Apply Map Airflow permissions."""
    appbuilder = cached_app(config={'FAB_UPDATE_PERMS': False}).appbuilder
    for old, new in mapping.items():
        (old_resource_name, old_action_name) = old
        old_permission = appbuilder.sm.get_permission(old_action_name, old_resource_name)
        if not old_permission:
            continue
        for new_action_name, new_resource_name in new:
            new_permission = appbuilder.sm.create_permission(new_action_name, new_resource_name)
            for role in appbuilder.sm.get_all_roles():
                if appbuilder.sm.permission_exists_in_one_or_more_roles(
                    old_resource_name, old_action_name, [role.id]
                ):
                    appbuilder.sm.add_permission_to_role(role, new_permission)
                    appbuilder.sm.remove_permission_from_role(role, old_permission)
        appbuilder.sm.delete_permission(old_action_name, old_resource_name)

        if not appbuilder.sm.get_action(old_action_name):
            continue
        resources = appbuilder.sm.get_all_resources()
        if not any(appbuilder.sm.get_permission(old_action_name, resource.name) for resource in resources):
            appbuilder.sm.delete_action(old_action_name)


def undo_remap_permissions():
    """Unapply Map Airflow permissions"""
    appbuilder = cached_app(config={'FAB_UPDATE_PERMS': False}).appbuilder
    for old, new in mapping.items():
        (new_resource_name, new_action_name) = new[0]
        new_permission = appbuilder.sm.get_permission(new_action_name, new_resource_name)
        if not new_permission:
            continue
        for old_action_name, old_resource_name in old:
            old_permission = appbuilder.sm.create_permission(old_action_name, old_resource_name)
            for role in appbuilder.sm.get_all_roles():
                if appbuilder.sm.permission_exists_in_one_or_more_roles(
                    new_resource_name, new_action_name, [role.id]
                ):
                    appbuilder.sm.add_permission_to_role(role, old_permission)
                    appbuilder.sm.remove_permission_from_role(role, new_permission)
        appbuilder.sm.delete_permission(new_action_name, new_resource_name)

        if not appbuilder.sm.get_action(new_action_name):
            continue
        resources = appbuilder.sm.get_all_resources()
        if not any(appbuilder.sm.get_permission(new_action_name, resource.name) for resource in resources):
            appbuilder.sm.delete_action(new_action_name)


def upgrade():
    """Apply Resource based permissions."""
    log = logging.getLogger()
    handlers = log.handlers[:]
    remap_permissions()
    log.handlers = handlers


def downgrade():
    """Unapply Resource based permissions."""
    log = logging.getLogger()
    handlers = log.handlers[:]
    undo_remap_permissions()
    log.handlers = handlers

相关信息

airflow 源码目录

相关文章

airflow 0001_1_5_0_current_schema 源码

airflow 0002_1_5_0_create_is_encrypted 源码

airflow 0003_1_5_0_for_compatibility 源码

airflow 0004_1_5_0_more_logging_into_task_isntance 源码

airflow 0005_1_5_2_job_id_indices 源码

airflow 0006_1_6_0_adding_extra_to_log 源码

airflow 0007_1_6_0_add_dagrun 源码

airflow 0008_1_6_0_task_duration 源码

airflow 0009_1_6_0_dagrun_config 源码

airflow 0010_1_6_2_add_password_column_to_user 源码

0  赞