airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Riccomini (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AIRFLOW-85) Create a viewer/editor roles for UI
Date Mon, 09 May 2016 22:43:12 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-85?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15277214#comment-15277214
] 

Chris Riccomini edited comment on AIRFLOW-85 at 5/9/16 10:42 PM:
-----------------------------------------------------------------

Initial idea is to create a {{/dags}} view parallel to {{/admin}}. The {{/dags}} view would
have just the DAGs tab. The tab would filter the list to only show DAGs that the user is associated
with. It would still allow the user to see (and edit, if they're an editor) all of the DAGs
they're associated with--the stuff under the {{/admin/airflow}} path.

I think this would require a few things:

# A `viewer` role.
# An `editor` role.
# Some way to map viewers and editors to DAGs.
# Some way to map users to the viewer/editor role.

For (4), the idea of using [Flask principals|http://pythonhosted.org/Flask-Principal/] was
thrown around. This seems logical to me.

For (3), I'm not quite sure what to do here. Does Flask principals provide some group management
implementation? It seems ideal to manage this stuff from LDAP.


was (Author: criccomini):
Initial idea is to create a {{/dags}} view parallel to {{/admin}}. The {{/dags}} view would
have just the DAGs tab. The tab would filter the list to only show DAGs that the user is associated
with. I think this would require a few things:

# A `viewer` role.
# An `editor` role.
# Some way to map viewers and editors to DAGs.
# Some way to map users to the viewer/editor role.

For (4), the idea of using [Flask principals|http://pythonhosted.org/Flask-Principal/] was
thrown around. This seems logical to me.

For (3), I'm not quite sure what to do here. Does Flask principals provide some group management
implementation? It seems ideal to manage this stuff from LDAP.

> Create a viewer/editor roles for UI
> -----------------------------------
>
>                 Key: AIRFLOW-85
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-85
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security, ui
>            Reporter: Chris Riccomini
>
> Airflow currently provides only an {{/admin}} UI interface for the webapp. This UI provides
three distinct roles:
> * Admin
> * Data profiler
> * None
> In addition, Airflow currently provides the ability to log in, either via a secure proxy
front-end, or via LDAP/Kerberos, within the webapp.
> We run Airflow with LDAP authentication enabled. This helps us control access to the
UI. However, there is insufficient granularity within the UI. We would like to be able to
grant users the ability to:
> # View their DAGs, but no one else's.
> # Control their DAGs, but no one else's.
> This is not possible right now. You can take away the ability to access the connections
and data profiling tabs, but users can still see all DAGs, as well as control the state of
the DB by clearing any DAG status, etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message