Move access_denied_message webserver config to fab

Author: pierrejeambrun

airflow-core/src/airflow/cli/commands/config_command.py

@@ -379,6 +379,10 @@ def message(self) -> str | None:
         config=ConfigParameter("webserver", "session_lifetime_minutes"),
         renamed_to=ConfigParameter("fab", "session_lifetime_minutes"),
     ),
+    ConfigChange(
+        config=ConfigParameter("webserver", "access_denied_message"),
+        renamed_to=ConfigParameter("fab", "access_denied_message"),
+    ),
     ConfigChange(
         config=ConfigParameter("webserver", "base_url"),
         renamed_to=ConfigParameter("api", "base_url"),

airflow-core/src/airflow/config_templates/config.yml

@@ -1684,13 +1684,6 @@ operators:
 webserver:
   description: ~
   options:
-    access_denied_message:
-      description: |
-        The message displayed when a user attempts to execute actions beyond their authorised privileges.
-      version_added: 2.7.0
-      type: string
-      example: ~
-      default: "Access is Denied"
     secret_key:
       description: |
         Secret key used to run your api server. It should be as random as possible. However, when running

airflow-core/src/airflow/configuration.py

@@ -355,6 +355,7 @@ def sensitive_config_values(self) -> set[tuple[str, str]]:
         ("api", "ssl_key"): ("webserver", "web_server_ssl_key", "3.0"),
         ("api", "access_logfile"): ("webserver", "access_logfile", "3.0"),
         ("triggerer", "capacity"): ("triggerer", "default_capacity", "3.0"),
+        ("fab", "access_denied_message"): ("webserver", "access_denied_message", "3.0.1"),
     }
 
     # A mapping of new section -> (old section, since_version).

providers/fab/provider.yaml

@@ -56,6 +56,13 @@ config:
   fab:
     description: This section contains configs specific to FAB provider.
     options:
+      access_denied_message:
+        description: |
+          The message displayed when a user attempts to execute actions beyond their authorised privileges.
+        version_added: 2.0.3
+        type: string
+        example: ~
+        default: "Access is Denied"
       auth_rate_limited:
         description: |
           Boolean for enabling rate limiting on authentication endpoints.

providers/fab/src/airflow/providers/fab/get_provider_info.py

@@ -30,6 +30,13 @@ def get_provider_info():
             "fab": {
                 "description": "This section contains configs specific to FAB provider.",
                 "options": {
+                    "access_denied_message": {
+                        "description": "The message displayed when a user attempts to execute actions beyond their authorised privileges.\n",
+                        "version_added": "2.0.3",
+                        "type": "string",
+                        "example": None,
+                        "default": "Access is Denied",
+                    },
                     "auth_rate_limited": {
                         "description": "Boolean for enabling rate limiting on authentication endpoints.\n",
                         "version_added": "1.0.2",

providers/fab/src/airflow/providers/fab/www/auth.py

@@ -61,7 +61,7 @@
 
 
 def get_access_denied_message():
-    return conf.get("webserver", "access_denied_message")
+    return conf.get("fab", "access_denied_message")
 
 
 def has_access_with_pk(f):