diff --git a/.github/actions/terraform-deploy-sm2a/action.yml b/.github/actions/terraform-deploy-sm2a/action.yml index aad783da..2ccaabd6 100644 --- a/.github/actions/terraform-deploy-sm2a/action.yml +++ b/.github/actions/terraform-deploy-sm2a/action.yml @@ -54,4 +54,3 @@ runs: run: | cd ./infrastructure terraform output -json Airflow_url > ${HOME}/output_sm2a_workflows_endpoint.json - diff --git a/sm2a/README.md b/sm2a/README.md index 56536384..b007aea9 100644 --- a/sm2a/README.md +++ b/sm2a/README.md @@ -178,3 +178,20 @@ The retrieved secrets are then stored in a .env file. The [python-dotenv](https://pypi.org/project/python-dotenv/) library is used to access the variables stored in the .env file. These variables can now be used within your DAG tasks. +## DAG Launcher Role Overview +The DAG Launcher role in Airflow is designed to provide users with the necessary permissions to manage and launch DAGs +in the Airflow UI. This role allows users to perform actions such as reading DAG runs, +and interacting with various views like Task Instances, Jobs, and XComs. + +The permissions granted are tailored to streamline the interaction with the DAG management interface, +enabling effective monitoring and control over DAG executions. + +### Key Permissions Assigned to the DAG Launcher Role: +- Permission on Dag runs for `veda_discover`, `veda_dataset_pipeline`, `veda_collection_pipeline` +- Read access to "My Profile", "DAG Runs", "Jobs", "Task Instances", "XComs", "DAG Dependencies", "Task Logs", and "Website". +- Create, Read, Edit, and Menu Access for DAG runs and DAG-related views (e.g., DAGs, Documentation). +- Edit access to specific DAGs like veda_discover. +- Integrating GitHub Users with the Airflow DAG UI +To grant users access to the Airflow UI, including the ability to manage DAGs and view the Swagger interface, +GitHub users must be added to a GitHub [team](https://github.com/orgs/NASA-IMPACT/teams/veda-dag-launcher). + diff --git a/sm2a/airflow_services/webserver_config.py b/sm2a/airflow_services/webserver_config.py index 83985431..1d05122d 100644 --- a/sm2a/airflow_services/webserver_config.py +++ b/sm2a/airflow_services/webserver_config.py @@ -77,6 +77,7 @@ AUTH_ROLES_MAPPING = { "Viewer": ["Viewer"], "Admin": ["Admin"], + "Dag_Launcher": ["DAG Launcher"], } # If you wish, you can add multiple OAuth providers. OAUTH_PROVIDERS = [ @@ -102,9 +103,11 @@ FAB_ADMIN_ROLE = "Admin" FAB_VIEWER_ROLE = "Viewer" +FAB_DAG_LAUNCHER_ROLE = "Dag_Launcher" FAB_PUBLIC_ROLE = "Public" # The "Public" role is given no permissions TEAM_ID_A_FROM_GITHUB = os.getenv("GH_ADMIN_TEAM_ID") TEAM_ID_B_FROM_GITHUB = os.getenv("GH_USER_TEAM_ID") +TEAM_ID_DAG_LAUNCHER_FROM_GITHUB = os.getenv("GH_DAG_LAUNCHER_TEAM_ID") def team_parser(team_payload: dict[str, Any]) -> list[int]: @@ -119,6 +122,7 @@ def map_roles(team_list: list[int]) -> list[str]: team_role_map = { TEAM_ID_A_FROM_GITHUB: FAB_ADMIN_ROLE, TEAM_ID_B_FROM_GITHUB: FAB_VIEWER_ROLE, + TEAM_ID_DAG_LAUNCHER_FROM_GITHUB: FAB_DAG_LAUNCHER_ROLE, } return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in team_list)) @@ -141,7 +145,6 @@ def get_oauth_user_info( team_data = remote_app.get("user/teams") teams = team_parser(team_data.json()) roles = map_roles(teams) - log.debug(f"User info from Github: {user_data}\nTeam info from Github: {teams}") print(f"User info from Github: {user_data}\nTeam info from Github: {teams}") return {"username": "github_" + user_data.get("login"), "role_keys": roles} diff --git a/sm2a/infrastructure/locals.tf b/sm2a/infrastructure/locals.tf index 8cd5b4eb..e01bbefd 100644 --- a/sm2a/infrastructure/locals.tf +++ b/sm2a/infrastructure/locals.tf @@ -1,6 +1,6 @@ provider "aws" { - alias = "aws_current" - region = var.aws_region + alias = "aws_current" + region = var.aws_region } data "aws_caller_identity" "current" {} diff --git a/sm2a/infrastructure/main.tf b/sm2a/infrastructure/main.tf index 41d610e8..f4a63992 100644 --- a/sm2a/infrastructure/main.tf +++ b/sm2a/infrastructure/main.tf @@ -69,6 +69,10 @@ module "sma-base" { { name = "GH_USER_TEAM_ID" value = var.gh_user_team_id + }, + { + name = "GH_DAG_LAUNCHER_TEAM_ID" + value = var.gh_dag_launcher_team_id } @@ -89,7 +93,7 @@ module "sma-base" { STAC_INGESTOR_API_URL = var.stac_ingestor_api_url STAC_URL = var.stac_url VECTOR_SECRET_NAME = var.vector_secret_name - ASSUME_ROLE_READ_ARN = var.assume_role_read_arn + ASSUME_ROLE_READ_ARN = var.assume_role_read_arn ASSUME_ROLE_WRITE_ARN = var.assume_role_write_arn } } diff --git a/sm2a/infrastructure/s3_event_bridge_lambda.tf b/sm2a/infrastructure/s3_event_bridge_lambda.tf index f0aca022..97d0b4ed 100644 --- a/sm2a/infrastructure/s3_event_bridge_lambda.tf +++ b/sm2a/infrastructure/s3_event_bridge_lambda.tf @@ -163,7 +163,7 @@ resource "aws_lambda_permission" "s3_invoke" { resource "aws_s3_bucket_notification" "bucket_notification" { - count = var.eis_storage_bucket_name != "null" ? 1 : 0 + count = var.eis_storage_bucket_name != "null" ? 1 : 0 bucket = var.eis_storage_bucket_name lambda_function { diff --git a/sm2a/infrastructure/variables.tf b/sm2a/infrastructure/variables.tf index b2ec0b5d..e202f3d3 100644 --- a/sm2a/infrastructure/variables.tf +++ b/sm2a/infrastructure/variables.tf @@ -122,26 +122,26 @@ variable "stac_url" { } variable "vector_secret_name" { - type = string + type = string default = "null" } variable "eis_storage_bucket_name" { - type = string + type = string default = "null" } variable "eis_s3_invoke_filter_prefix" { - type = string + type = string default = "null" } variable "sm2a_secret_manager_name" { - type = string + type = string default = "null" } variable "target_dag_id" { - type = string + type = string default = "null" } @@ -174,11 +174,14 @@ variable "workers_task_retries" { } variable "assume_role_read_arn" { - type = string + type = string default = "" } variable "assume_role_write_arn" { - type = string + type = string default = "" } +variable "gh_dag_launcher_team_id" { + default = "VEDA-DAG-Launcher" +} diff --git a/sm2a/scripts/create_sm2a_role.py b/sm2a/scripts/create_sm2a_role.py new file mode 100644 index 00000000..b753518a --- /dev/null +++ b/sm2a/scripts/create_sm2a_role.py @@ -0,0 +1,57 @@ +from airflow.www.app import create_app + + +def create_dag_launcher_role(): + app = create_app() + with app.app_context(): + security_manager = app.appbuilder.sm + role_name = "DAG Launcher" + + # Define permissions + permissions = [ + ("can_read", "My Profile"), + ("can_create", "DAG Runs"), + ("can_read", "DAG Runs"), + ("can_edit", "DAG Runs"), + ("menu_access", "DAG Runs"), + ("menu_access", "Browse"), + ("can_read", "Jobs"), + ("menu_access", "Jobs"), + ("can_read", "Task Instances"), + ("menu_access", "Task Instances"), + ("can_read", "XComs"), + ("menu_access", "DAGs"), + ("menu_access", "Documentation"), + ("menu_access", "Docs"), + ("can_read", "DAG Dependencies"), + ("can_read", "Task Logs"), + ("can_read", "Website"), + ("can_edit", "DAG:veda_discover"), + ("can_read", "DAG:veda_discover"), + ("can_edit", "DAG:veda_dataset_pipeline"), + ("can_read", "DAG:veda_dataset_pipeline"), + ("can_edit", "DAG:veda_collection_pipeline"), + ("can_read", "DAG:veda_collection_pipeline") + ] + + # Check if the role exists, create it if not + role = security_manager.find_role(role_name) + if not role: + role = security_manager.add_role(role_name) + + # Assign permissions to the role + for perm_name, view_menu_name in permissions: + # Ensure the menu exists + security_manager.add_permissions_menu(view_menu_name) + + # Ensure permission exists + permission = security_manager.get_permission(perm_name, view_menu_name) + if permission and permission not in role.permissions: + security_manager.add_permission_to_role(role, permission) + + print(f"Role '{role_name}' created with specified permissions.") + + +# Execute the script +if __name__ == "__main__": + create_dag_launcher_role()