Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to combine RBAC with LDAP in Apache Airflow?

I am trying to enforce granular permissions in Airflow against users in Active Directory. Is it possible to authenticate with Active Directory via LDAP and implement security/permission via RBAC (by mapping RBAC Roles to AD Groups/Users)? I understand that LDAP integration offers the ability to map groups to a superuser and a data profiler via the filter configurations (LDAP Documentation). But I am interested in the more granular controls offered through RBAC.

I've been able to connect my Active Directory to Airflow. However, when I try to add RBAC, I am not able to sign in. It seems that the RBAC configuration overrides the LDAP configuration. Has anyone been able to achieve this?

like image 617
Brandon Avatar asked Dec 01 '19 07:12

Brandon


People also ask

Is RBAC LDAP?

Role-based access control (RBAC) is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. Lightweight Directory Access Protocol (LDAP) is a protocol to implement an RBAC methodology.

What is Rbac in airflow?

This page describes Airflow UI Access Control (also called Airflow Role-Based Access Control, or Airflow RBAC) in Cloud Composer. This feature provides an additional mechanism to separate users in the Airflow UI and DAG UI of your environment.

What is airflow username and password?

default credentials -- user: admin - password: admin. How to create airflow users?


1 Answers

You need to add webserver_config.py at the airflow root folder, where you should set:

# Uncomment this line
flask_appbuilder.security.manager import AUTH_LDAP
....
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldap://localhost:389"

AUTH_LDAP_SEARCH=ou=users,dc=example,dc=org
AUTH_LDAP_BIND_USER=cn=user,ou=app,dc=example,dc=org
AUTH_LDAP_BIND_PASSWORD=pwd

Here https://airflow.apache.org/docs/stable/_modules/airflow/configuration.html you can see that after enabling RBAC, webserver setting are overwritten

WEBSERVER_CONFIG = AIRFLOW_HOME + '/webserver_config.py'

if conf.getboolean('webserver', 'rbac'):
    if not os.path.isfile(WEBSERVER_CONFIG):
        log.info('Creating new FAB webserver config file in: %s', WEBSERVER_CONFIG)
        DEFAULT_WEBSERVER_CONFIG, _ = _read_default_config_file('default_webserver_config.py')
        with open(WEBSERVER_CONFIG, 'w') as file:
            file.write(DEFAULT_WEBSERVER_CONFIG)
like image 120
user2455668 Avatar answered Sep 19 '22 01:09

user2455668