List only connections, pools and variables the user has access to #55298
+592
−43
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vincbeck
requested review from
ephraimbuddy,
pierrejeambrun,
rawwar,
jason810496,
bugraoz93 and
shubhamraj-git
as code owners
| :param method: the method to filter on | ||
| :param session: the session | ||
| """ | ||
| stmt = select(Connection.conn_id, Team.name).join(Team, Connection.team_id == Team.id, isouter=True) |
There was a problem hiding this comment.
Forgive me for not being up to date on this effort, but I'm a bit concerned this method is misleading. Connections don't just come from the db, so you are really just getting a partial list. Was that considered?
There was a problem hiding this comment.
And to make it more tricky, secret backends don't even support listing connections from the backend...
There was a problem hiding this comment.
No worries :) I agree this is confusing.
But I am interested by the connections returned by the API get_connections. This API retrieves connections only from the DB with this code:
connection_select, total_entries = paginated_select(
statement=select(Connection),
filters=[connection_id_pattern],
order_by=order_by,
offset=offset,
limit=limit,
session=session,
)
connections = session.scalars(connection_select)
So I assume the get_connections API only care about connections from the DB?
bugraoz93
approved these changes
Sep 5, 2025
vincbeck
force-pushed
the
vincbeck/get_authorized
branch
from
6d65e9f to
af89fe8
Compare
vincbeck
force-pushed
the
vincbeck/get_authorized
branch
from
af89fe8 to
b9c5d5e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce the following methods in auth manager to list only resources (connections, pools and variables) the user has access to. With Fab auth manager you cannot define fine grained access on these resources (e.g. User
Xhas access to connectiontestonly) but with different auth managers such as Keycloak you can.get_authorized_connectionsfilter_authorized_connectionsget_authorized_poolsfilter_authorized_poolsget_authorized_variablesfilter_authorized_variables^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.