airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxime Beauchemin <maximebeauche...@gmail.com>
Subject Re: Role Based Access Control for Airflow UI
Date Tue, 13 Jun 2017 01:16:14 GMT
It would be nice to go with a framework for this. I did some
experimentation using FlaskAppBuilder to go in this direction. It provides
auth on different authentication backends out of the box (oauth, openid,
ldap, registration, ...), generates perms for each view that has an
@has_access decorator, generates at set of perms for each ORM model (show,
edit, delete, add, ...) and enforces it in the CRUD views as well as in the
generated REST api that you get for free as a byprdoduct of deriving FAB's
models (essentially it's SqlAlchemy with a layer on top).

I started a POC on FAB here a while ago:
https://github.com/mistercrunch/airflow_webserver at the time my main
motivation was the free/instantaneous REST api.

I think FAB is a decent fit as the porting should be fairly straightforward
(moving the flask views over and deprecating Flask-Admin in favor of FAB's
crud) though there was a few blockers. From memory I think FAB didn't like
the compound PKs we use in some of the Airflow models. We'd have to either
write a db migration script on the Airflow side, or add support for
compound keys to FAB (I recently became a maintainer of the project, so I
could help with that)

The only downside of FAB is that it's not as mature as something like
Django, but porting to Django would surely be much more work.

Then there's the flask-security suite, but that looks like a bit of a
patchwork to me, I guess we can pick and choose which we want to use.

Max

On Mon, Jun 12, 2017 at 12:50 PM, Dan Davydov <
dan.davydov@airbnb.com.invalid> wrote:

> Looks good to me in general, thanks for putting this together!
>
> I think the ability to integrate with external RBAC systems like LDAP is
> important (i.e. the Airflow DB should not be decoupled with the RBAC
> database wherever possible).
>
> I wouldn't be too worried about the permissions about refreshing DAGs, as
> far as I know this functionality is no longer required with the new
> webservers which reload state periodically, and will certainly be removed
> when we have a better DAG consistency story.
>
> I think it would also be good to think about this proposal/implementation
> and how it applied in the API-driven world (e.g. when webserver hits APIs
> like /clear on behalf of users instead of running commands against the
> database directly).
>
> On Mon, Jun 12, 2017 at 11:12 AM, Bolke de Bruin <bdbruin@gmail.com>
> wrote:
>
> > Will respond but im traveling at the moment. Give me a few days.
> >
> > Sent from my iPhone
> >
> > > On 12 Jun 2017, at 13:39, Chris Riccomini <criccomini@apache.org>
> wrote:
> > >
> > > Hey all,
> > >
> > > Checking in on this. We spent a good chunk of time thinking about this,
> > and
> > > want to move forward with it, but want to make sure we're all on the
> same
> > > page.
> > >
> > > Max? Bolke? Dan? Jeremiah?
> > >
> > > Cheers,
> > > Chris
> > >
> > > On Thu, Jun 8, 2017 at 1:49 PM, kalpesh dharwadkar <
> > > kalpeshdharwadkar@gmail.com> wrote:
> > >
> > >> Hello everyone,
> > >>
> > >> As you all know, currently Airflow doesn’t have a built-in Role Based
> > >> Access Control(RBAC) capability.  It does provide very limited
> > >> authorization capability by providing admin, data_profiler, and user
> > roles.
> > >> However, associating these roles to authenticated identities is not a
> > >> simple effort.
> > >>
> > >> To address this issue, I have created a design proposal for building
> > RBAC
> > >> into Airflow and simplifying user access management via the Airflow
> UI.
> > >>
> > >> The design proposal is located at https://cwiki.apache.org/
> > >> confluence/display/AIRFLOW/Airflow+RBAC+proposal
> > >>
> > >> Any comments/questions/feedback are much appreciated.
> > >>
> > >> Thanks
> > >> Kalpesh
> > >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message