Migration help: CustomSecurityManager → New Authorization Standard Definitions

[zachliu]

Hi all — has anyone who’s implemented a custom CustomSecurityManager successfully migrated to the new authorization standard definitions. I’d appreciate any guidance or examples—especially regarding the rather general instruction to “refer to the SimpleAuthManager source code as an example for how you might use the ResourceMethod and resource_details components.” 🙏🙏🙏

[zachliu]

@zach-overflow 👋 hello the other zach! you are the author of the documentation, maybe you can help me out here? 🙏 🙏 🙏

i have something like this

class CustomSecurityManager(FabAirflowSecurityManagerOverride):
    """
    Custom Security Manager to:
        1. Map Auth0 roles to Airflow roles.
        2. Auto-manage Airflow user permissions.
    """

    # Apply the RESTRICTED_OP permissions to all Auth0 non-admin users
    RESTRICTED_OP_PERMISSIONS = [
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_CODE),
        (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
        ...

what should i use to replace these with?

[zach-overflow]

So the new security classes such as ResourceMethod and the various classes defined within the resource_details module are relevant for the AuthManager interface, which is different from FAB's SecurityManager concept. I'm going to work off the assumption that you are running Airflow version 3.x, in which case, I would definitely recommend reading through these prior issues to get an idea of the distinction, and how you might migrate to the AuthManager setup:

1. This very helpful comment clarifying the differences between the auth components in airflow-core, vs the auth concepts specific to only FAB.
2. This thread, which goes into more details about the authmanager and the authorization standard definitions.

As for how you replace the old code, I can't really give a definitive answer since each custom setup will be quite different. The best I can suggest is to read through the two links I shared above, and then take a look at some of the current AuthManager implementations in airflow-core and in providers to get an idea of how auth logic is handled in those.