Re: [DISCUSS] Auth backends

Tue, 04 Mar 2025 15:19:12 -0800 

Option 1 seems to be the winning choice. (If you disagree, there is still time 
to bring it up.)

Regarding the need for more details on the implementation and flow for creating 
and using the JWT token, what should be the next step? Jarek, you suggested 
creating an AIP, and I agree that this would help formalize a proposal with 
more details, enabling a more thoughtful decision. However, given the timeline, 
this will not be ready for Airflow 3.0.

What will be the recommended way to call the Airflow 3 API? Currently, there is 
no documented solution for calling the Airflow 3 public API, including JWT 
token creation and API calls.

One possible solution is to document the existing mechanism in main for 
creating a JWT token. This is the approach I described earlier in this thread: 
using APIs provided by auth managers. Each auth manager is responsible for 
creating the JWT token and then using it to make authorization decisions.

Everything is already implemented except for the documentation—we need to 
create documentation to explain the flow to users so they can use it to call 
the Airflow 3 public API.

To prepare for the future, we would also include a note in the documentation 
informing users that this approach is experimental/temporary and may change in 
the future.

What do you think?

On 2025/03/03 17:51:45 Vincent Beck wrote:
> Yes, 100%.
> 
> On 2025/03/03 17:33:55 Ash Berlin-Taylor wrote:
> > So is the auth manager involved in interpreting the JWT token in to 
> > something more meaningful in order to make permission decisions etc then?
> > 
> > > On 3 Mar 2025, at 16:38, Vincent Beck <vincb...@apache.org> wrote:
> > > 
> > > JWT token created by FAB auth manager:
> > > ```
> > > {
> > >   "id": "12345789"
> > > }
> > > ```
> > > 
> > > JWT token created by simple auth manager:
> > > ```
> > > {
> > >   "username": "Test",
> > >   "role": "Admin"
> > > }
> > > ```
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org
> For additional commands, e-mail: dev-h...@airflow.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org
For additional commands, e-mail: dev-h...@airflow.apache.org

Reply via email to