airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Riccomini (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-85) Create DAGs UI
Date Mon, 16 May 2016 17:29:13 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-85?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15284880#comment-15284880
] 

Chris Riccomini commented on AIRFLOW-85:
----------------------------------------

Based on a cursory investigation of Flask-Login, Flask-Principal, and [flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/],
it seems like we should use Flask-Login to handle login, Flask-principal to manage user/group/roles,
and flask-ldap3-login as the LDAP auth for login.

There also appears to be at least one Flask-Login Kerberos plugin, which would give us parity
with the existing auth mechanism.

The question remains over how to manage viewer/edit access to specific DAGs. A simple approach
would be to define permissions inside the DAG constructor in Python:

{noformat}
{
  'criccomini': 'editor',
  'fbar': viewer,
}
{noformat}

We could then use Flask-Principal, to load the appropriate {{Need}}s when a user authenticates.

> Create DAGs UI
> --------------
>
>                 Key: AIRFLOW-85
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-85
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security, ui
>            Reporter: Chris Riccomini
>
> Airflow currently provides only an {{/admin}} UI interface for the webapp. This UI provides
three distinct roles:
> * Admin
> * Data profiler
> * None
> In addition, Airflow currently provides the ability to log in, either via a secure proxy
front-end, or via LDAP/Kerberos, within the webapp.
> We run Airflow with LDAP authentication enabled. This helps us control access to the
UI. However, there is insufficient granularity within the UI. We would like to be able to
grant users the ability to:
> # View their DAGs, but no one else's.
> # Control their DAGs, but no one else's.
> This is not possible right now. You can take away the ability to access the connections
and data profiling tabs, but users can still see all DAGs, as well as control the state of
the DB by clearing any DAG status, etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message