Use is_authorized_* APIs in views

[vincbeck]

Use is_authorized_* APIs provided by the auth manager in views.

---

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

[uranusjr]

I wonder if we can refactor the giant if-elif chain into a dispatching dict. Something like…

@cache
def _get_auth_manager_map() -> dict[str, Callable[[str, BaseUser | None]]]:
    manager = get_auth_manager()
    actions = get_method_from_fab_action_map()
    return {
        RESOURCE_AUDIT_LOG: lambda action, user: manager.is_authorized_dag(
            method=actions[action], access_entity=DagAccessEntity.AUDIT_LOG, user=user,
        ),
        RESOURCE_CLUSTER_ACTIVITY: lambda action, user: manager.is_authorized_view(
            access_view=AccessView.CLUSTER_ACTIVITY, user=user,
        ),
        ...
    }

class AirflowSecirutyManagerV2(...):
    def _get_auth_manager_is_authorized_method(
        self, fab_action_name: str, fab_resource_name: str, user
    ) -> Callable[[str, BaseUser | None]] | None:
        return _get_auth_manager_map().get(fab_resource_name)

This could be easier to read (?) and also margianlly faster.

[vincbeck]

I wonder if we can refactor the giant if-elif chain into a dispatching dict. Something like…

@cache
def _get_auth_manager_map() -> dict[str, Callable[[str, BaseUser | None]]]:
    manager = get_auth_manager()
    actions = get_method_from_fab_action_map()
    return {
        RESOURCE_AUDIT_LOG: lambda action, user: manager.is_authorized_dag(
            method=actions[action], access_entity=DagAccessEntity.AUDIT_LOG, user=user,
        ),
        RESOURCE_CLUSTER_ACTIVITY: lambda action, user: manager.is_authorized_view(
            access_view=AccessView.CLUSTER_ACTIVITY, user=user,
        ),
        ...
    }

class AirflowSecirutyManagerV2(...):
    def _get_auth_manager_is_authorized_method(
        self, fab_action_name: str, fab_resource_name: str, user
    ) -> Callable[[str, BaseUser | None]] | None:
        return _get_auth_manager_map().get(fab_resource_name)

This could be easier to read (?) and also margianlly faster.

Agree, nice suggestion! Let me do that

[vincbeck]

Any takers on this one?

Spoiler alert! Once this PR merged I'll be able to create a PR to remove the deprecation warning currently raised:

/opt/airflow/airflow/auth/managers/fab/api_endpoints/user_endpoint.py:46 RemovedInAirflow3Warning: The 'requires_access' decorator is deprecated. Please use one of the decorator `requires_access_*`defined in airflow/api_connexion/security.py instead.

Could be cool to do this before the next Airflow release so users dont get deprecation warnings for nothing 👼

[o-nikolas]

I'm not super familiar with the auth code, but in general the PR looks reasonable to me!

[ephraimbuddy]

What's now the equivalent of this resource and logins resource?

[vincbeck]

I could not find this one used anywhere, that's why I removed it. Is it used somewhere?

[ephraimbuddy]

Can't find the usage too. LGTM