I am trying to enforce granular permissions in Airflow against users in Active Directory. Is it possible to authenticate with Active Directory via LDAP and implement security/permission via RBAC (by mapping RBAC Roles to AD Groups/Users)? I understand that LDAP integration offers the ability to map groups to a superuser and a data profiler via the filter configurations (LDAP Documentation). But I am interested in the more granular controls offered through RBAC.
I've been able to connect my Active Directory to Airflow. However, when I try to add RBAC, I am not able to sign in. It seems that the RBAC configuration overrides the LDAP configuration. Has anyone been able to achieve this?
Role-based access control (RBAC) is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. Lightweight Directory Access Protocol (LDAP) is a protocol to implement an RBAC methodology.
This page describes Airflow UI Access Control (also called Airflow Role-Based Access Control, or Airflow RBAC) in Cloud Composer. This feature provides an additional mechanism to separate users in the Airflow UI and DAG UI of your environment.
default credentials -- user: admin - password: admin. How to create airflow users?
You need to add webserver_config.py at the airflow root folder, where you should set:
# Uncomment this line
flask_appbuilder.security.manager import AUTH_LDAP
....
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldap://localhost:389"
AUTH_LDAP_SEARCH=ou=users,dc=example,dc=org
AUTH_LDAP_BIND_USER=cn=user,ou=app,dc=example,dc=org
AUTH_LDAP_BIND_PASSWORD=pwd
Here https://airflow.apache.org/docs/stable/_modules/airflow/configuration.html you can see that after enabling RBAC, webserver setting are overwritten
WEBSERVER_CONFIG = AIRFLOW_HOME + '/webserver_config.py'
if conf.getboolean('webserver', 'rbac'):
if not os.path.isfile(WEBSERVER_CONFIG):
log.info('Creating new FAB webserver config file in: %s', WEBSERVER_CONFIG)
DEFAULT_WEBSERVER_CONFIG, _ = _read_default_config_file('default_webserver_config.py')
with open(WEBSERVER_CONFIG, 'w') as file:
file.write(DEFAULT_WEBSERVER_CONFIG)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With