Change menu action in AWS auth manager

Author: vincbeck

airflow/providers/amazon/aws/auth_manager/avp/entities.py

@@ -38,6 +38,7 @@ class AvpEntities(Enum):
     CUSTOM = "Custom"
     DAG = "Dag"
     DATASET = "Dataset"
+    MENU = "Menu"
     POOL = "Pool"
     VARIABLE = "Variable"
     VIEW = "View"

airflow/providers/amazon/aws/auth_manager/aws_auth_manager.py

@@ -513,17 +513,13 @@ def get_cli_commands() -> list[CLICommand]:
             ),
         ]
 
-    def _get_menu_item_request(self, resource_name: str) -> IsAuthorizedRequest:
-        menu_item_request = _MENU_ITEM_REQUESTS.get(resource_name)
-        if menu_item_request:
-            return menu_item_request
-        else:
-            self.log.info("The menu item '%s' is unknown. It must come from a plugin", resource_name)
-            return {
-                "method": "MENU",
-                "entity_type": AvpEntities.CUSTOM,
-                "entity_id": resource_name,
-            }
+    @staticmethod
+    def _get_menu_item_request(resource_name: str) -> IsAuthorizedRequest:
+        return {
+            "method": "MENU",
+            "entity_type": AvpEntities.MENU,
+            "entity_id": resource_name,
+        }
 
     def _has_access_to_menu_item(
         self, batch_is_authorized_results: list[dict], request: IsAuthorizedRequest, user: AwsAuthManagerUser

airflow/providers/amazon/aws/auth_manager/cli/schema.json

@@ -121,6 +121,12 @@
                     "resourceTypes": ["Dataset"]
                 }
             },
+            "Menu.MENU": {
+                "appliesTo": {
+                    "principalTypes": ["User"],
+                    "resourceTypes": ["Menu"]
+                }
+            },
             "Pool.DELETE": {
                 "appliesTo": {
                     "principalTypes": ["User"],
@@ -182,6 +188,7 @@
             "Custom": {},
             "Dag": {},
             "Dataset": {},
+            "Menu": {},
             "Pool": {},
             "Role": {},
             "User": {

tests/providers/amazon/aws/auth_manager/test_aws_auth_manager.py

@@ -523,55 +523,48 @@ def test_filter_permitted_menu_items(self, mock_get_user, auth_manager, test_use
             {
                 "request": {
                     "principal": {"entityType": "Airflow::User", "entityId": "test_user_id"},
-                    "action": {"actionType": "Airflow::Action", "actionId": "Connection.MENU"},
-                    "resource": {"entityType": "Airflow::Connection", "entityId": "*"},
+                    "action": {"actionType": "Airflow::Action", "actionId": "Menu.MENU"},
+                    "resource": {"entityType": "Airflow::Menu", "entityId": "Connections"},
                 },
                 "decision": "DENY",
             },
             {
                 "request": {
                     "principal": {"entityType": "Airflow::User", "entityId": "test_user_id"},
-                    "action": {"actionType": "Airflow::Action", "actionId": "Variable.MENU"},
-                    "resource": {"entityType": "Airflow::Variable", "entityId": "*"},
+                    "action": {"actionType": "Airflow::Action", "actionId": "Menu.MENU"},
+                    "resource": {"entityType": "Airflow::Menu", "entityId": "Variables"},
                 },
                 "decision": "ALLOW",
             },
             {
                 "request": {
                     "principal": {"entityType": "Airflow::User", "entityId": "test_user_id"},
-                    "action": {"actionType": "Airflow::Action", "actionId": "Dataset.MENU"},
-                    "resource": {"entityType": "Airflow::Dataset", "entityId": "*"},
+                    "action": {"actionType": "Airflow::Action", "actionId": "Menu.MENU"},
+                    "resource": {"entityType": "Airflow::Menu", "entityId": "Datasets"},
                 },
                 "decision": "DENY",
             },
             {
                 "request": {
                     "principal": {"entityType": "Airflow::User", "entityId": "test_user_id"},
-                    "action": {"actionType": "Airflow::Action", "actionId": "View.MENU"},
-                    "resource": {"entityType": "Airflow::View", "entityId": "CLUSTER_ACTIVITY"},
+                    "action": {"actionType": "Airflow::Action", "actionId": "Menu.MENU"},
+                    "resource": {"entityType": "Airflow::Menu", "entityId": "Cluster Activity"},
                 },
                 "decision": "DENY",
             },
             {
                 "request": {
                     "principal": {"entityType": "Airflow::User", "entityId": "test_user_id"},
-                    "action": {"actionType": "Airflow::Action", "actionId": "Dag.MENU"},
-                    "resource": {"entityType": "Airflow::Dag", "entityId": "*"},
-                    "context": {
-                        "contextMap": {
-                            "dag_entity": {
-                                "string": "AUDIT_LOG",
-                            }
-                        }
-                    },
+                    "action": {"actionType": "Airflow::Action", "actionId": "Menu.MENU"},
+                    "resource": {"entityType": "Airflow::Menu", "entityId": "Audit Logs"},
                 },
                 "decision": "ALLOW",
             },
             {
                 "request": {
                     "principal": {"entityType": "Airflow::User", "entityId": "test_user_id"},
-                    "action": {"actionType": "Airflow::Action", "actionId": "Custom.MENU"},
-                    "resource": {"entityType": "Airflow::Custom", "entityId": "CustomPage"},
+                    "action": {"actionType": "Airflow::Action", "actionId": "Menu.MENU"},
+                    "resource": {"entityType": "Airflow::Menu", "entityId": "CustomPage"},
                 },
                 "decision": "ALLOW",
             },
@@ -592,37 +585,36 @@ def test_filter_permitted_menu_items(self, mock_get_user, auth_manager, test_use
             ]
         )
 
+        """
+        return {
+            "method": "MENU",
+            "entity_type": AvpEntities.MENU,
+            "entity_id": resource_name,
+        }
+        """
+
         auth_manager.avp_facade.get_batch_is_authorized_results.assert_called_once_with(
             requests=[
                 {
                     "method": "MENU",
-                    "entity_type": AvpEntities.CONNECTION,
-                },
-                {
-                    "method": "MENU",
-                    "entity_type": AvpEntities.VARIABLE,
+                    "entity_type": AvpEntities.MENU,
+                    "entity_id": "Connections",
                 },
                 {
                     "method": "MENU",
-                    "entity_type": AvpEntities.DATASET,
+                    "entity_type": AvpEntities.MENU,
+                    "entity_id": "Variables",
                 },
                 {
                     "method": "MENU",
-                    "entity_type": AvpEntities.VIEW,
-                    "entity_id": AccessView.CLUSTER_ACTIVITY.value,
-                },
-                {
-                    "method": "MENU",
-                    "entity_type": AvpEntities.DAG,
-                    "context": {
-                        "dag_entity": {
-                            "string": DagAccessEntity.AUDIT_LOG.value,
-                        },
-                    },
+                    "entity_type": AvpEntities.MENU,
+                    "entity_id": "Datasets",
                 },
+                {"method": "MENU", "entity_type": AvpEntities.MENU, "entity_id": "Cluster Activity"},
+                {"method": "MENU", "entity_type": AvpEntities.MENU, "entity_id": "Audit Logs"},
                 {
                     "method": "MENU",
-                    "entity_type": AvpEntities.CUSTOM,
+                    "entity_type": AvpEntities.MENU,
                     "entity_id": "CustomPage",
                 },
             ],