Menu
I am trying to enable Airflow LDAP authentication with RBAC features and did the following changes:
rbac = true and removed authentication = True under the [webserver] section AIRFLOW_HOME directory The webserver_config.py file contains:
import os
from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(__file__))
SQLALCHEMY_DATABASE_URI = conf.get(‘core’, ‘SQL_ALCHEMY_CONN’)
CSRF_ENABLED = True
AUTH_TYPE = AUTH_LDAP
AUTH_ROLE_ADMIN = ‘Admin’
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = “Admin”
AUTH_LDAP_SERVER = ‘ldaps://ldap.xxx.yyy.net:636‘
AUTH_LDAP_SEARCH = “ou=Users,o=corp”
AUTH_LDAP_BIND_USER = ‘cn=ldap-proxy,ou=Users,o=corp’
AUTH_LDAP_BIND_PASSWORD = ‘YOUR_PASSWORD’
AUTH_LDAP_UID_FIELD = ‘uid’
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_ALLOW_SELF_SIGNED = False
AUTH_LDAP_TLS_CACERTFILE = ‘/etc/ssl/certs/ldap.crt’
After the above changes, we are able to login to Airflow with LDAP credentials. But the problem is that all the users have the Admin role after self registration,
because we have given this value in AUTH_USER_REGISTRATION_ROLE = “Admin”.
How can we dynamically assign the AUTH_USER_REGISTRATION_ROLE based on the users LDAP role?
We have different users like tester, developer and operation user but with the above webserver config file all users are automatically assigned the Admin role via Flask_appbuilder.security under manager.py file.
Is there any way to create the customize manager file and while login refer this customize file instead of Flask_appbuilder.security.manager.py file.
566
This page describes Airflow UI Access Control (also called Airflow Role-Based Access Control, or Airflow RBAC) in Cloud Composer. This feature provides an additional mechanism to separate users in the Airflow UI and DAG UI of your environment.
An LDAP server, also called a Directory System Agent (DSA), runs on Windows OS and Unix/Linux. It stores usernames, passwords, and other core user identities. It uses this data to authenticate users when it receives requests or queries and shares the requests with other DSAs.
You can try using AUTH_LDAP_SEARCH_FILTER
Filter or limit allowable users from the LDAP server, e.g., only the people on your team. AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=group name,OU=type,dc=ex ,cn=com)"
From: https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/config.rst
Airflow >= 1.10 uses FlaskAppBuilder for RBAC auth
Have not tested it yet though
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
