0
# Security Management
1
2
Core security management functionality providing authentication, authorization, session management, and security configuration. This module serves as the foundation for all security operations in the Airflow FAB integration.
3
4
## Capabilities
5
6
### Authentication Methods
7
8
Authenticate users using various backends including database, LDAP, OAuth, OpenID, and remote user authentication.
9
10
```python { .api }
11
def auth_user_db(self, username: str, password: str) -> User | None:
12
"""
13
Authenticate user using database credentials.
14
15
Parameters:
16
- username: Username or email address
17
- password: Plain text password to verify
18
19
Returns:
20
User object if authenticated successfully, None otherwise
21
"""
22
23
def auth_user_ldap(self, username: str, password: str) -> User | None:
24
"""
25
Authenticate user using LDAP/Active Directory.
26
27
Parameters:
28
- username: LDAP username
29
- password: LDAP password
30
31
Returns:
32
User object if authenticated successfully, None otherwise
33
"""
34
35
def auth_user_oauth(self, userinfo: dict) -> User | None:
36
"""
37
Authenticate user using OAuth provider information.
38
39
Parameters:
40
- userinfo: Dictionary containing user information from OAuth provider
41
Keys should match User model columns
42
43
Returns:
44
User object if authenticated successfully, None otherwise
45
"""
46
47
def auth_user_oid(self, email: str) -> User | None:
48
"""
49
Authenticate user using OpenID.
50
51
Parameters:
52
- email: User's email address from OpenID provider
53
54
Returns:
55
User object if authenticated successfully, None otherwise
56
"""
57
58
def auth_user_remote_user(self, username: str) -> User | None:
59
"""
60
Authenticate user using remote user authentication (e.g., from web server).
61
62
Parameters:
63
- username: Username from remote authentication system
64
65
Returns:
66
User object if authenticated successfully, None otherwise
67
"""
68
```
69
70
### Password Management
71
72
Password reset and authentication statistics management for database authentication.
73
74
```python { .api }
75
def reset_password(self, userid: int, password: str) -> bool:
76
"""
77
Reset user password for database authentication.
78
79
Parameters:
80
- userid: User ID to reset password for
81
- password: New plain text password (will be hashed)
82
83
Returns:
84
True if password reset successfully, False otherwise
85
"""
86
87
def update_user_auth_stat(self, user: User, success: bool = True) -> None:
88
"""
89
Update user authentication statistics.
90
91
Parameters:
92
- user: User object to update statistics for
93
- success: Whether authentication attempt was successful
94
"""
95
```
96
97
### Session Management
98
99
Manage user sessions and JWT token handling for authentication state.
100
101
```python { .api }
102
def load_user(self, user_id: str) -> User:
103
"""
104
Load user by ID for session management.
105
106
Parameters:
107
- user_id: String representation of user ID
108
109
Returns:
110
User object
111
"""
112
113
def load_user_jwt(self, _jwt_header: dict, jwt_data: dict) -> User:
114
"""
115
Load user from JWT token data.
116
117
Parameters:
118
- _jwt_header: JWT header (unused)
119
- jwt_data: JWT payload data containing user identity
120
121
Returns:
122
User object
123
"""
124
125
@staticmethod
126
def before_request() -> None:
127
"""
128
Hook that runs before each request to set up user context.
129
Sets flask g.user to current_user for request processing.
130
"""
131
```
132
133
### OAuth Integration
134
135
OAuth provider integration with support for multiple providers and token management.
136
137
```python { .api }
138
def oauth_user_info_getter(self, f: callable) -> callable:
139
"""
140
Decorator to set OAuth user info getter function.
141
142
Parameters:
143
- f: Function that takes (sm, provider, response) and returns user info dict
144
145
Returns:
146
Decorated function
147
"""
148
149
def get_oauth_token_key_name(self, provider: str) -> str:
150
"""
151
Get token key name for OAuth provider.
152
153
Parameters:
154
- provider: OAuth provider name
155
156
Returns:
157
Token key name (defaults to 'oauth_token')
158
"""
159
160
def get_oauth_token_secret_name(self, provider: str) -> str:
161
"""
162
Get token secret name for OAuth provider.
163
164
Parameters:
165
- provider: OAuth provider name
166
167
Returns:
168
Token secret name (defaults to 'oauth_token_secret')
169
"""
170
171
def set_oauth_session(self, provider: str, oauth_response: dict) -> None:
172
"""
173
Set OAuth session data for authenticated user.
174
175
Parameters:
176
- provider: OAuth provider name
177
- oauth_response: Response from OAuth provider containing tokens
178
"""
179
180
def get_oauth_user_info(self, provider: str, resp: dict) -> dict:
181
"""
182
Extract user information from OAuth provider response.
183
184
Parameters:
185
- provider: OAuth provider name ('github', 'google', 'azure', etc.)
186
- resp: OAuth provider response
187
188
Returns:
189
Dictionary with user information (username, email, first_name, last_name, etc.)
190
"""
191
```
192
193
### LDAP Integration
194
195
LDAP authentication with support for TLS, search filters, and user attribute mapping.
196
197
```python { .api }
198
@staticmethod
199
def ldap_extract(ldap_dict: dict[str, list[bytes]], field_name: str, fallback: str) -> str:
200
"""
201
Extract single value from LDAP attribute dictionary.
202
203
Parameters:
204
- ldap_dict: LDAP attributes dictionary
205
- field_name: Attribute name to extract
206
- fallback: Default value if attribute is empty
207
208
Returns:
209
Decoded string value or fallback
210
"""
211
212
@staticmethod
213
def ldap_extract_list(ldap_dict: dict[str, list[bytes]], field_name: str) -> list[str]:
214
"""
215
Extract list of values from LDAP attribute dictionary.
216
217
Parameters:
218
- ldap_dict: LDAP attributes dictionary
219
- field_name: Attribute name to extract
220
221
Returns:
222
List of decoded string values
223
"""
224
```
225
226
### Security Configuration
227
228
Access to security configuration properties and settings.
229
230
```python { .api }
231
@property
232
def auth_type(self) -> int:
233
"""Get configured authentication type."""
234
235
@property
236
def auth_role_admin(self) -> str:
237
"""Get administrator role name."""
238
239
@property
240
def auth_role_public(self) -> str:
241
"""Get public/anonymous role name."""
242
243
@property
244
def auth_user_registration(self) -> bool:
245
"""Check if user self-registration is enabled."""
246
247
@property
248
def auth_username_ci(self) -> bool:
249
"""Check if username matching is case-insensitive."""
250
251
@property
252
def current_user(self) -> User | None:
253
"""Get current authenticated user."""
254
```
255
256
## Usage Examples
257
258
### Basic Authentication
259
260
```python
261
from airflow.www.fab_security.sqla.manager import SecurityManager
262
263
# Database authentication
264
user = security_manager.auth_user_db("john_doe", "password123")
265
if user:
266
print(f"Authenticated user: {user.get_full_name()}")
267
268
# Update authentication statistics
269
security_manager.update_user_auth_stat(user, success=True)
270
```
271
272
### OAuth Authentication
273
274
```python
275
# OAuth user info from provider
276
oauth_userinfo = {
277
'username': 'john_doe',
278
'email': 'john@example.com',
279
'first_name': 'John',
280
'last_name': 'Doe'
281
}
282
283
user = security_manager.auth_user_oauth(oauth_userinfo)
284
if user:
285
print(f"OAuth authenticated: {user.username}")
286
```
287
288
### Password Reset
289
290
```python
291
# Reset user password
292
user = security_manager.find_user(username="john_doe")
293
if user:
294
security_manager.reset_password(user.id, "new_secure_password")
295
```
296
297
## Error Handling
298
299
Authentication methods return `None` on failure and log appropriate error messages. Password operations may raise exceptions for invalid user IDs or database errors.