A utility function to invoke the `assert_permissions` method on the global security manager. If no global `SecurityManager` is defined (NoAuthConfig), all resources are permitted. If a SecurityManager exists but no user context and actions are requested, deny access for security. I
(
resources: list[FeastObject],
actions: Union[AuthzedAction, List[AuthzedAction]],
)
| 166 | |
| 167 | |
| 168 | def permitted_resources( |
| 169 | resources: list[FeastObject], |
| 170 | actions: Union[AuthzedAction, List[AuthzedAction]], |
| 171 | ) -> list[FeastObject]: |
| 172 | """ |
| 173 | A utility function to invoke the `assert_permissions` method on the global security manager. |
| 174 | |
| 175 | If no global `SecurityManager` is defined (NoAuthConfig), all resources are permitted. |
| 176 | If a SecurityManager exists but no user context and actions are requested, deny access for security. |
| 177 | If a SecurityManager exists but user is intra-communication, allow access. |
| 178 | |
| 179 | Args: |
| 180 | resources: The resources for which we need to enforce authorized permission. |
| 181 | actions: The requested actions to be authorized. |
| 182 | Returns: |
| 183 | list[FeastObject]]: A filtered list of the permitted resources, possibly empty. |
| 184 | """ |
| 185 | |
| 186 | sm = get_security_manager() |
| 187 | if not is_auth_necessary(sm): |
| 188 | # Check if this is NoAuthConfig (no security manager) vs missing user context vs intra-communication |
| 189 | if sm is None: |
| 190 | # NoAuthConfig: allow all resources |
| 191 | logger.debug("NoAuthConfig enabled - allowing access to all resources") |
| 192 | return resources |
| 193 | elif sm.current_user is not None: |
| 194 | # Intra-communication user: allow all resources |
| 195 | logger.debug("Intra-communication user - allowing access to all resources") |
| 196 | return resources |
| 197 | else: |
| 198 | # Security manager exists but no user context - deny access for security |
| 199 | logger.warning( |
| 200 | "Security manager exists but no user context - denying access to all resources" |
| 201 | ) |
| 202 | return [] |
| 203 | return sm.assert_permissions(resources=resources, actions=actions, filter_only=True) # type: ignore[union-attr] |
| 204 | |
| 205 | |
| 206 | """ |