airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxime Beauchemin <>
Subject Re: Securing Connections
Date Fri, 29 Jun 2018 17:18:04 GMT
It certainly sounds doable and similar to the DAG-level access controls in
many ways (see the soon to be merged PR
<>). The new `airflow
sync_perm` CLI command could insure the existence of one perm per "conn_id"
as well as a "all_conn_id" perm.

Now RBAC is a web-only construct at the moment and I think it makes sense
to keep it this way and build upon this assumption. This means that to
check a perm, you need APIs that live only in the new web app: the RBAC
related models are defined by FAB and are available through the
SecurityManager (a FAB construct). This means re-writing the CLI to be
lightweight and operate through REST, authenticate and all that good stuff.
This makes things like a local backfill a bit complicated to think through,
but the solution is probably for the local backfill to operate simply with
a lower-level REST api.

On the path to success we need to have a CLI that can operate without
knowing the decryption key, and the end goal is a CLI that doesn't connect
to the metadata database at all.

Note that we could stub the FAB RBAC models in "Airflow core ("
but personally I think leaving that on the web only and going through the
(yet-to-be-built) REST API is the way to go.

Also note that the current DAG-level access control only implements the web
restrictions at the moment, none of it is applied at the CLI level, that
has yet to be done.

Another thought: it may make sense to break off `airflow-cli` as its own
package though there are pros/cons here.


On Fri, Jun 29, 2018 at 9:19 AM Naik Kaxil <> wrote:

> I would like to get thoughts on how you guys secure connections i.e.
> Role-based control of connection. For example I don’t want Person A to use
> connection X, or in other words I only want Person B to have access of
> connection X.
> With RBAC in the master, it is possible but how do you guys achieve it in
> version 1.9.0?
> Regards,
> Kaxil
> Kaxil Naik
> Data Reply
> 2nd Floor, Nova South
> 160 Victoria Street, Westminster
> London SW1E 5LB - UK
> phone: +44 (0)20 7730 6000
> [image: Data Reply]

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message