Feature: Allow set Dag Run resource into Dag Level permission #40703
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
During the last week refactor input on mypy checks was moved to another workflow and mypy checks were not running for a day. This change brings it back. (cherry picked from commit a2f5307)
The config names all use "object storage", but the class is still using "object store". Since we're not renaming the configs, let's rename the class for consistency. (cherry picked from commit 0371ea8)
Co-authored-by: Tom Rutter <[email protected]> (cherry picked from commit 7613795)
(cherry picked from commit 1d8413e)
The `total_entries` count should reflect how many log entries match the filters provided, not simply how many rows are in the table total. (cherry picked from commit 90e7b3f)
These are the attrs we allow sorting on, not filtering on. (cherry picked from commit e700f41)
(cherry picked from commit 35d1899)
(cherry picked from commit d566a8b)
(cherry picked from commit 46b30b2)
* Prohibit to use unsupported DB backends in tests * Move invalid backends tests into the integration * Add files to missing unit tests (cherry picked from commit 279d1f7)
…ath` (apache#38624) * Disable support of a legacy `LocalPath` in favor of stdlib `pathlib.Path` * Fixup tests which use tmpdir instead of tmp_path (cherry picked from commit 2660188)
(cherry picked from commit 6f0e5bc)
(cherry picked from commit 8455eb2)
(cherry picked from commit 39b3eb2)
(cherry picked from commit 9c61147)
(cherry picked from commit e20a710)
…SQL (apache#38663) (cherry picked from commit 12d38e1)
* Improve stability of remove_task_decorator function * fix statics * test * remove test --------- Co-authored-by: Sam Wheating <[email protected]> (cherry picked from commit f1301da)
Co-authored-by: Wei Lee <[email protected]> (cherry picked from commit 32c88a2)
…get_sorted_triggers queries (apache#38664) (cherry picked from commit 8246a89)
* Add a task instance dependency for mapped dependencies (apache#37091) --------- Co-authored-by: Tzu-ping Chung <[email protected]> (cherry picked from commit e2df442)
…he#38678) We have now a separate job that prepares and uploads artifacts when PROD image is being prepared for K8S testing. This saves a bit of time to prepare PROD image. However this step had a bug - it checked out the `main` version of code when preparing airflow and provider packages, so it was really testing the "previous" merge not the "current" PR. This PR switches the job to prepare artifacts to use the same checkout strategy as the other build-image workflow jobs. (cherry picked from commit eb541ae)
The image tag makes no difference. While we are using the image to run Helm tests (for now) the fact that we are using specific image shoudl not be part of the job name (it's printed in the steps when the image is pulled). (cherry picked from commit 7526440)
…che#38601) Depending on selective checks, but also on the job executed, we choose whether to run job on public runners or self-hosted runners. So far the set of labels to select the runners were passed in a bit inconsistent way. Outputs of selective checks can only be strings and the `run-as` accepts array of strings (labels) - so we were using fromJSON to convert between the two. And we used runs-on inputs on a number of our workflows to pass the selection. However this meant that runs-on could be either string or array and that sometimes we passed public/self-hosted labels as strings directly and some of those were hard-coded. This PR changes it consistently across the board to introduce consistent approach: * build info have no selective checks results yet, so for them runs-on is hardcoded * similarly for "windows" and release jobs that are manually run without running selective checks * selective checks will produce three outuputs - JSON stringiified array of labels: * default (one that is selected depending on who runs the build) * public (for cases where we want to force the builds to use public runners * self-hosted (for cases where we want to force the builds to use self-hosted runners * all the outputs are named `<type>-runs-on-as-string` to make it clear they are all strings * all inputs of workflows expectings strings are named the same (with as-string suffix and <type> prefix) * whenever a job is run, we pass "runs-on" parameter to be `fromJSON` with appropriate type we want to use passed as input This will make it easier to reason on which job is using which type of runner and it will make it easier in the future to make it more flexible when we add ASF self-hosted runners and possibly our own K8S runners, or when we would want to change labels for public runners or self-hosted runners. (cherry picked from commit 9da08a5)
The "UPGRADE_TO_NEWER_DEPENDENCIES" build arg was a bit misleading as it was not a true/false value but rather "random hash"/"false". This PR makes it a bit more explicit: * the arg is named UPGRADE_INVALIDATION_STRING now * it's default is "" not false and all conditions are set to check for != or == "". The inputs/outputs in CI job remain as they were - "true/false" but this PR makes it clearer. (cherry picked from commit 1934c8b)
(cherry picked from commit 6ef381b)
…pache#38617) The apache#37818 bumped requirement for google-cloud-aiplatform to a version that requires Pydantic so we need to remove it when we are running "no-pydantic" tests. The tests that import it should be skipped when the dependency is removed. (cherry picked from commit 69df34e)
|
There are some tests failing because there was an increase in the number of queries. I'll check it out this week. |
shahar1
approved these changes
Jul 25, 2024
Apologies for the late response - couple of comments before merging:
Please let me know when you're done, and I'll re-approve and hopefully merge :) |
|
Hey @shahar1, I've included the docs and I've dug a little more about the query count test and the difference is during the As we included more permissions at the DAG level, we expect an increase in the number of queries during the sync: airflow/airflow/providers/fab/auth_manager/security_manager/override.py Lines 1120 to 1123 in 27ba034 Do you think we can increase the query count for this test? |
… in dag level and it will increase the calls in _sync_perm_for_dag apache#40703 (comment)
joaopamaral
commented
Aug 6, 2024
shahar1
approved these changes
Aug 8, 2024
ephraimbuddy
added a commit
to astronomer/airflow
that referenced
this pull request
Aug 11, 2024
…apache#40703)" This reverts commit 090607d.
|
I think that one caused problem #41540 (comment) - it does not seem backwards-compatible with the previous fab provider. |
43 tasks
|
It looks like this change implies dependencies between Airflow core and fab provider and new version of fab provider requires changes also in Airflow core, thus fab provider should have constraint apache-airflow>=2.9.X? It looks like for Airflow 2.9.1 this version of fab provider is not backward compatible |
@ekosteev - do you see some evidence of this ? The issue here: #41540 (comment) - made the earlier FAB providers not compatible for 2.10.0 -> which shoudl be fixed in #41540, but I have not seen/ compatibility issues with earlier airflow versions (It passed all the compatibility tests at the very least) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR extends Dag's
access_controlfeature to allow Dag Run resource permissions. For example, it can allow only some selected Dag with trigger permission for a specific role.closes: #37329
Validation:
can_create DAG Runsandcan_delete DAGsfromUserrole.can_create DAG Runsin dag tutorial andcan_delete DAGin dag tutorial2.^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.