Work in progress. Feedback welcome.
Several Airflow users have a need for more rigorous security in Airflow. Part of this involves authentication (authn) and authorization (authz) in Airflow's UI. The current security problems with Airflow's UI are:
- Everything is under /admin
- There is very limited authorization functionality
There is no auditing about who is triggering an action via the UI
It looks like airflow.www.utils contains an annotation method called action_logging, which logs actions!
The goal of this document is to address these issues.
The idea is to add a new endpoint called /dags, which is parallel to the /admin UI. This UI will use the same template as the existing DAGs UI in /admin. It will not, however, have any other tabs (Data Profiling, Browse, Admin).
We will need to lock down several pages in the Airflow view class. The pages that are exposed would be:
And perhaps a couple others that I'm missing. The point is that we'd limit the access in the /dags view pretty severely. We'll create a /dags route with: /dags, /dags/refresh, /dags/tree, etc.
We will introduce three levels of access:
- dag_viewer: Can see everything associated with a given DAG.
- dag_editor: Can edit the status of tasks in a DAG.
- dag_executor: Can click the 'Run' button on a task to have it triggered immediately. Only works for CeleryExecutor.
We will add the concept of groups. Users can be a member of a group. Both groups and members can be assigned DAG access permissions.
Airflow already uses Flask-Login, so we can use this as the login mechanism. Airflow already has LDAP and Kerberos backends (as well as a GitHub backend).
We will need to:
- Add the three Flask-Principal needs that map to the roles above
- Hook Flask-Principal up to Flask-Login by sending proper signals
- Update views to adhere to Flask-Principal permissions
We might want to extend the Airflow view so that we can add Flask-Principal annotations without affecting the underlying Airflow view (to remain backwards compatible for the time being). I'm not sure how feasible this is yet. Given that none of the above routes are locked down, other than @login_required, I believe it should work.