Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable default allowing the testing of connections in UI, API and CLI #32052

Merged
merged 10 commits into from
Jul 4, 2023
Merged

Disable default allowing the testing of connections in UI, API and CLI #32052

merged 10 commits into from
Jul 4, 2023

Conversation

pankajkoti
Copy link
Member

@pankajkoti pankajkoti commented Jun 21, 2023
edited
Loading

With this PR, the test connection functionality will be disabled
by default across Airflow UI, API and CLI. The availability of the
functionality can be controlled by the test_connection flag in
the core section of the Airflow configuration (airflow.cfg).
It can also be controlled by the environment variable
AIRFLOW__CORE__TEST_CONNECTION.

The following values are accepted for this config param:

  1. Disabled: Disables the test connection functionality and
    disables(greys out) the Test Connection button in the UI.
    This is also the default value set in the Airflow configuration.
  2. Enabled: Enables the test connection functionality and
    activates the Test Connection button in the UI.
  3. Hidden: Disables the test connection functionality and
    hides the Test Connection button in UI.

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@boring-cyborg boring-cyborg bot added area:UI Related to UI/UX. For Frontend Developers. area:webserver Webserver related Issues labels Jun 21, 2023
@pankajkoti pankajkoti force-pushed the disable-default-test-connection-functionality-on-ui branch 3 times, most recently from 2b38466 to 1a5678a Compare June 22, 2023 18:22
o-nikolas
o-nikolas reviewed Jun 22, 2023
View reviewed changes
Copy link
Contributor

@o-nikolas o-nikolas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

airflow/config_templates/config.yml Outdated Show resolved Hide resolved
airflow/config_templates/config.yml Outdated Show resolved Hide resolved
airflow/www/static/js/connection_form.js Outdated Show resolved Hide resolved
jedcunningham
jedcunningham reviewed Jun 22, 2023
View reviewed changes
Copy link
Member

@jedcunningham jedcunningham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to disable endpoints that serve this functionality! It can't be a UI only thing.

airflow/www/static/js/connection_form.js Outdated Show resolved Hide resolved
@pankajkoti pankajkoti requested a review from bbovenzi June 23, 2023 09:04
@pankajkoti pankajkoti force-pushed the disable-default-test-connection-functionality-on-ui branch from f1dfe9f to 036dd59 Compare June 24, 2023 13:44
@pankajkoti pankajkoti force-pushed the disable-default-test-connection-functionality-on-ui branch from 2af54f5 to 9ba87b8 Compare June 24, 2023 13:52
potiuk
potiuk reviewed Jun 24, 2023
View reviewed changes
Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few small nits, but LGTM

@pankajkoti pankajkoti marked this pull request as ready for review June 24, 2023 17:25
@pankajkoti pankajkoti force-pushed the disable-default-test-connection-functionality-on-ui branch from 51652f9 to dc44dfa Compare June 24, 2023 18:10
@pankajkoti pankajkoti changed the title Disable allowing by default testing of connnections in UI Disable allowing by default the testing of connections in UI, API and CLI Jun 24, 2023
@pankajkoti pankajkoti changed the title Disable allowing by default the testing of connections in UI, API and CLI Disable default allowing the testing of connections in UI, API and CLI Jun 24, 2023
@pankajkoti pankajkoti requested a review from potiuk June 24, 2023 18:18
@potiuk
Copy link
Member

potiuk commented Jun 27, 2023

We also need a significant newsfragment for that one @pankajkoti

@pankajkoti
Copy link
Member Author

pankajkoti commented Jun 27, 2023
edited
Loading

We also need a significant newsfragment for that one @pankajkoti

Thank you. Naive to add this one. Added one by following the guideline here which says it can be like a git commit message for significant types and also taking reference of this PR

@pankajkoti pankajkoti force-pushed the disable-default-test-connection-functionality-on-ui branch from 35d4232 to 4a52e3e Compare June 27, 2023 08:46
@pankajkoti
Copy link
Member Author

The tests are failing because of an unrelated error

=========================== short test summary info ============================
FAILED tests/providers/amazon/aws/triggers/test_athena.py::TestAthenaTrigger::test_run_success - TypeError: async_wait() got an unexpected keyword argument 'max_attempts'
=========== 1 failed, 1890 passed, 19 warnings in 898.71s (0:14:58) ============

Looks like the PR which added this change is reverted now. I will rebase now.

@pankajkoti
Disable allowing by default testing of connnections in UI
509defc 
Users can enable test connection functionaility in UI  with caution
by setting the `enable_test_connection` key to `True` in the
`[webserver]` section of airflow.cfg or by setting the environment
variable `AIRFLOW__WEBSERVER__ENABLE_TEST_CONNECTION` to `True`.
@pankajkoti
Fix test_views.py test
40b42e8
@pankajkoti
Address review feedback
b59d3a6
@pankajkoti
Update tests/www/views/test_views.py
d994203
@pankajkoti
Add tests, fix CI failures for tests and docs
a7b2b47
@pankajkoti
Address @potiuk's comments
d6d14bc
@pankajkoti
Add significant type newsfragment for the PR
934c1e4
@pankajkoti pankajkoti force-pushed the disable-default-test-connection-functionality-on-ui branch from 4a52e3e to 934c1e4 Compare June 27, 2023 09:51
@potiuk
Copy link
Member

potiuk commented Jun 27, 2023
edited
Loading

One more small comment. I've been thiknig about it.. Currently we have this but only in comments.

Before setting this to Enabled, make sure that you review the users who are able to add/edit
        connections and ensure they are trusted. Connection testing can be done maliciously leading to
        undesired and insecure outcomes.

Should we make also add some more information (link to the right part of the security model documentation once we merge #32098 should be enough ) - both in the newsfragment (effectively release notes) and in the place in documentation where we explain test connection, to explain why it is - potentially - dangerous to enable test connection?

I think we should be very explicit about it if we want to make our model influence decisions of our users.

@pankajkoti
Copy link
Member Author

pankajkoti commented Jun 27, 2023
edited
Loading

yes makes sense. Which part of the PR would we like to link it to? Some section in this file docs/apache-airflow/security/index.rst ?

Will wait for the PR to be merged and then link it here.
I am also thinking to reword Deployment admin -> Deployment Manager as was suggested earlier and in the security model. Will do that to when I link the section in my next commit.

@potiuk
Copy link
Member

potiuk commented Jun 27, 2023

yes makes sense. Which part of the PR would we like to link it to? Some section in this file docs/apache-airflow/security/index.rst ?

Likely. docs/apache-airflow/security/index.rst#capabilities_of_authenticated_ui_users if I got it right :)

@potiuk
Copy link
Member

potiuk commented Jun 27, 2023

Or maybe better will be to add reference and link to it. I might add it now.

@pankajkoti pankajkoti added this to the Airflow 2.7.0 milestone Jun 30, 2023
@potiuk potiuk merged commit e4c3ecf into apache:main Jul 4, 2023
42 checks passed
@ephraimbuddy ephraimbuddy added the type:improvement Changelog: Improvements label Jul 6, 2023
@pankajkoti pankajkoti mentioned this pull request Aug 2, 2023
Merged
pankajkoti added a commit to astronomer/airflow that referenced this pull request Aug 12, 2023
@pankajkoti
Enable test connection in UI if explicitly set to Enabled
61bf455 
Following up PR apache#32052 the test connection is
disabled in UI, API and CLI. The API and CLI strictly check for the
config value to be set as `Enabled` for the functionality to be enabled,
whereas the UI just checks that is it not set to `Disabled`. As a result
setting values to the config param other than `Disabled`, enables the
button in the UI. Even though the button gets enabled, the API forbids
it as there is a strict check in the API that the value is set to
`Enabled` and only then allows, however, it makes sense to also strictly
check in the UI that value is set to `Enabled`.
@pankajkoti pankajkoti mentioned this pull request Aug 12, 2023
Merged
hussein-awala pushed a commit that referenced this pull request Aug 12, 2023
@pankajkoti
Enable test connection in UI if explicitly set to Enabled (#33342)
50765eb 
Following up PR #32052 the test connection is
disabled in UI, API and CLI. The API and CLI strictly check for the
config value to be set as `Enabled` for the functionality to be enabled,
whereas the UI just checks that is it not set to `Disabled`. As a result
setting values to the config param other than `Disabled`, enables the
button in the UI. Even though the button gets enabled, the API forbids
it as there is a strict check in the API that the value is set to
`Enabled` and only then allows, however, it makes sense to also strictly
check in the UI that value is set to `Enabled`.
ephraimbuddy pushed a commit that referenced this pull request Aug 14, 2023
@pankajkoti @ephraimbuddy
Enable test connection in UI if explicitly set to Enabled (#33342)
eda4bc4 
Following up PR #32052 the test connection is
disabled in UI, API and CLI. The API and CLI strictly check for the
config value to be set as `Enabled` for the functionality to be enabled,
whereas the UI just checks that is it not set to `Disabled`. As a result
setting values to the config param other than `Disabled`, enables the
button in the UI. Even though the button gets enabled, the API forbids
it as there is a strict check in the API that the value is set to
`Enabled` and only then allows, however, it makes sense to also strictly
check in the UI that value is set to `Enabled`.

(cherry picked from commit 50765eb)
ferruzzi pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Aug 17, 2023
@pankajkoti @ferruzzi
Enable test connection in UI if explicitly set to Enabled (apache#3…
95ee355 
…3342)

Following up PR apache#32052 the test connection is
disabled in UI, API and CLI. The API and CLI strictly check for the
config value to be set as `Enabled` for the functionality to be enabled,
whereas the UI just checks that is it not set to `Disabled`. As a result
setting values to the config param other than `Disabled`, enables the
button in the UI. Even though the button gets enabled, the API forbids
it as there is a strict check in the API that the value is set to
`Enabled` and only then allows, however, it makes sense to also strictly
check in the UI that value is set to `Enabled`.
@vatsrahul1001 vatsrahul1001 mentioned this pull request Oct 13, 2023
Merged
ahidalgob pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this pull request May 15, 2024
@pankajkoti
Enable test connection in UI if explicitly set to Enabled (#33342)
934bcdb 
Following up PR apache/airflow#32052 the test connection is
disabled in UI, API and CLI. The API and CLI strictly check for the
config value to be set as `Enabled` for the functionality to be enabled,
whereas the UI just checks that is it not set to `Disabled`. As a result
setting values to the config param other than `Disabled`, enables the
button in the UI. Even though the button gets enabled, the API forbids
it as there is a strict check in the API that the value is set to
`Enabled` and only then allows, however, it makes sense to also strictly
check in the UI that value is set to `Enabled`.

(cherry picked from commit 50765eb0883652c16b40d69d8a1ac78096646610)

GitOrigin-RevId: eda4bc4b87deb6095cb009825ace9bf87eead369
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@potiuk potiuk potiuk approved these changes

@o-nikolas o-nikolas o-nikolas approved these changes

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@jedcunningham jedcunningham Awaiting requested review from jedcunningham

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

Assignees
No one assigned
Labels
area:UI Related to UI/UX. For Frontend Developers. area:webserver Webserver related Issues type:improvement Changelog: Improvements
Projects
None yet
Milestone
Airflow 2.7.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@pankajkoti @potiuk @o-nikolas @jedcunningham @ephraimbuddy