Is there a way to combine RBAC with LDAP in Apache Airflow?

Question

I am trying to enforce granular permissions in Airflow against users in Active Directory. Is it possible to authenticate with Active Directory via LDAP and implement security/permission via RBAC (by mapping RBAC Roles to AD Groups/Users)? I understand that LDAP integration offers the ability to map groups to a superuser and a data profiler via the filter configurations (LDAP Documentation). But I am interested in the more granular controls offered through RBAC.

I've been able to connect my Active Directory to Airflow. However, when I try to add RBAC, I am not able to sign in. It seems that the RBAC configuration overrides the LDAP configuration. Has anyone been able to achieve this?

Answer 1

You need to add webserver_config.py at the airflow root folder, where you should set:

# Uncomment this line
flask_appbuilder.security.manager import AUTH_LDAP
....
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldap://localhost:389"

AUTH_LDAP_SEARCH=ou=users,dc=example,dc=org
AUTH_LDAP_BIND_USER=cn=user,ou=app,dc=example,dc=org
AUTH_LDAP_BIND_PASSWORD=pwd

Here https://airflow.apache.org/docs/stable/_modules/airflow/configuration.html you can see that after enabling RBAC, webserver setting are overwritten

WEBSERVER_CONFIG = AIRFLOW_HOME + '/webserver_config.py'

if conf.getboolean('webserver', 'rbac'):
    if not os.path.isfile(WEBSERVER_CONFIG):
        log.info('Creating new FAB webserver config file in: %s', WEBSERVER_CONFIG)
        DEFAULT_WEBSERVER_CONFIG, _ = _read_default_config_file('default_webserver_config.py')
        with open(WEBSERVER_CONFIG, 'w') as file:
            file.write(DEFAULT_WEBSERVER_CONFIG)