o-nikolas commented on code in PR #36211: URL: https://github.com/apache/airflow/pull/36211#discussion_r1425751100
########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager Review Comment: Expand Auth here and in first usage below? ########## docs/apache-airflow-providers-fab/auth-manager/index.rst: ########## @@ -18,4 +18,13 @@ Fab auth manager Review Comment: Maybe here and in the first usage in the sentence below expand the FAB acronym to Flask AppBuilder and use "authentication/authorization" instead of auth. ########## docs/apache-airflow-providers-fab/auth-manager/index.rst: ########## @@ -18,4 +18,13 @@ Fab auth manager ================ -To be written +Fab auth manager is the auth manager that comes by default with Airflow. This auth manager defines the user authentication and user authorization by default in Airflow. +The backend used to store all entities used by the Fab auth manager is the Airflow database: :doc:`/database-erd-ref`. Review Comment: All caps acronym? (here and elsewhere?) ```suggestion The backend used to store all entities used by the FAB auth manager is the Airflow database: :doc:`/database-erd-ref`. ``` ########## docs/apache-airflow/security/webserver.rst: ########## @@ -53,218 +53,8 @@ See :ref:`security:mask-sensitive-values` for more details. Web Authentication ------------------ -By default, Airflow requires users to specify a password prior to login. You can use the -following CLI commands to create an account: - -.. code-block:: bash - - # create an admin user - airflow users create \ - --username admin \ - --firstname Peter \ - --lastname Parker \ - --role Admin \ - --email spider...@superhero.org - -To deactivate the authentication and allow users to be identified as Anonymous, the following entry -in ``$AIRFLOW_HOME/webserver_config.py`` needs to be set with the desired role that the Anonymous -user will have by default: - -.. code-block:: ini - - AUTH_ROLE_PUBLIC = 'Admin' - -Be sure to checkout :doc:`/security/api` for securing the API. - -.. note:: - - Airflow uses the config parser of Python. This config parser interpolates - '%'-signs. Make sure escape any ``%`` signs in your config file (but not - environment variables) as ``%%``, otherwise Airflow might leak these - passwords on a config parser exception to a log. - -Password -'''''''' - -One of the simplest mechanisms for authentication is requiring users to specify a password before logging in. - -Please use command line interface ``airflow users create`` to create accounts, or do that in the UI. - -Other Methods -''''''''''''' - -Since Airflow 2.0, the default UI is the Flask App Builder RBAC. A ``webserver_config.py`` configuration file -is automatically generated and can be used to configure the Airflow to support authentication -methods like OAuth, OpenID, LDAP, REMOTE_USER. It should be noted that due to the limitation of Flask AppBuilder -and Authlib, only a selection of OAuth2 providers is supported. This list includes ``github``, ``githublocal``, ``twitter``, -``linkedin``, ``google``, ``azure``, ``openshift``, ``okta``, ``keycloak`` and ``keycloak_before_17``. - -The default authentication option described in the :ref:`Web Authentication <web-authentication>` section is related -with the following entry in the ``$AIRFLOW_HOME/webserver_config.py``. - -.. code-block:: ini - - AUTH_TYPE = AUTH_DB - -A WSGI middleware could be used to manage very specific forms of authentication -(e.g. `SPNEGO <https://www.ibm.com/docs/en/was-liberty/core?topic=authentication-single-sign-http-requests-using-spnego-web>`_) -and leverage the REMOTE_USER method: - -.. code-block:: python - - from typing import Any, Callable - - from flask import current_app - from flask_appbuilder.const import AUTH_REMOTE_USER - - - class CustomMiddleware: - def __init__(self, wsgi_app: Callable) -> None: - self.wsgi_app = wsgi_app - - def __call__(self, environ: dict, start_response: Callable) -> Any: - # Custom authenticating logic here - # ... - environ["REMOTE_USER"] = "username" - return self.wsgi_app(environ, start_response) - - - current_app.wsgi_app = CustomMiddleware(current_app.wsgi_app) - - AUTH_TYPE = AUTH_REMOTE_USER - -Another way to create users is in the UI login page, allowing user self registration through a "Register" button. -The following entries in the ``$AIRFLOW_HOME/webserver_config.py`` can be edited to make it possible: - -.. code-block:: ini - - AUTH_USER_REGISTRATION = True - AUTH_USER_REGISTRATION_ROLE = "Desired Role For The Self Registered User" - RECAPTCHA_PRIVATE_KEY = 'private_key' - RECAPTCHA_PUBLIC_KEY = 'public_key' - - MAIL_SERVER = 'smtp.gmail.com' - MAIL_USE_TLS = True - MAIL_USERNAME = 'yourappem...@gmail.com' - MAIL_PASSWORD = 'passwordformail' - MAIL_DEFAULT_SENDER = 'sen...@gmail.com' - -The package ``Flask-Mail`` needs to be installed through pip to allow user self registration since it is a -feature provided by the framework Flask-AppBuilder. - -To support authentication through a third-party provider, the ``AUTH_TYPE`` entry needs to be updated with the -desired option like OAuth, OpenID, LDAP, and the lines with references for the chosen option need to have -the comments removed and configured in the ``$AIRFLOW_HOME/webserver_config.py``. - -For more details, please refer to -`Security section of FAB documentation <https://flask-appbuilder.readthedocs.io/en/latest/security.html>`_. - -Example using team based Authorization with GitHub OAuth -'''''''''''''''''''''''''''''''''''''''''''''''''''''''' -There are a few steps required in order to use team-based authorization with GitHub OAuth. - -* configure OAuth through the FAB config in webserver_config.py -* create a custom security manager class and supply it to FAB in webserver_config.py -* map the roles returned by your security manager class to roles that FAB understands. - -Here is an example of what you might have in your webserver_config.py: - -.. code-block:: python - - from airflow.auth.managers.fab.security_manager.override import FabAirflowSecurityManagerOverride - from flask_appbuilder.security.manager import AUTH_OAUTH - import os - - AUTH_TYPE = AUTH_OAUTH - AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login - AUTH_USER_REGISTRATION = True # allow users who are not already in the FAB DB to register - - AUTH_ROLES_MAPPING = { - "Viewer": ["Viewer"], - "Admin": ["Admin"], - } - # If you wish, you can add multiple OAuth providers. - OAUTH_PROVIDERS = [ - { - "name": "github", - "icon": "fa-github", - "token_key": "access_token", - "remote_app": { - "client_id": os.getenv("OAUTH_APP_ID"), - "client_secret": os.getenv("OAUTH_APP_SECRET"), - "api_base_url": "https://api.github.com", - "client_kwargs": {"scope": "read:user, read:org"}, - "access_token_url": "https://github.com/login/oauth/access_token", - "authorize_url": "https://github.com/login/oauth/authorize", - "request_token_url": None, - }, - }, - ] - - - class CustomSecurityManager(FabAirflowSecurityManagerOverride): - pass - - - # Make sure to replace this with your own implementation of AirflowSecurityManager class - SECURITY_MANAGER_CLASS = CustomSecurityManager - -Here is an example of defining a custom security manager. -This class must be available in Python's path, and could be defined in -webserver_config.py itself if you wish. - -.. code-block:: python - - from airflow.auth.managers.fab.security_manager.override import FabAirflowSecurityManagerOverride - import logging - from typing import Any, List, Union - import os - - log = logging.getLogger(__name__) - log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO")) - - FAB_ADMIN_ROLE = "Admin" - FAB_VIEWER_ROLE = "Viewer" - FAB_PUBLIC_ROLE = "Public" # The "Public" role is given no permissions - TEAM_ID_A_FROM_GITHUB = 123 # Replace these with real team IDs for your org - TEAM_ID_B_FROM_GITHUB = 456 # Replace these with real team IDs for your org - - - def team_parser(team_payload: dict[str, Any]) -> list[int]: - # Parse the team payload from GitHub however you want here. - return [team["id"] for team in team_payload] - - - def map_roles(team_list: list[int]) -> list[str]: - # Associate the team IDs with Roles here. - # The expected output is a list of roles that FAB will use to Authorize the user. - - team_role_map = { - TEAM_ID_A_FROM_GITHUB: FAB_ADMIN_ROLE, - TEAM_ID_B_FROM_GITHUB: FAB_VIEWER_ROLE, - } - return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in team_list)) - - - class GithubTeamAuthorizer(FabAirflowSecurityManagerOverride): - # In this example, the oauth provider == 'github'. - # If you ever want to support other providers, see how it is done here: - # https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550 - def get_oauth_user_info(self, provider: str, resp: Any) -> dict[str, Union[str, list[str]]]: - # Creates the user info payload from Github. - # The user previously allowed your app to act on their behalf, - # so now we can query the user and teams endpoints for their data. - # Username and team membership are added to the payload and returned to FAB. - - remote_app = self.appbuilder.sm.oauth_remotes[provider] - me = remote_app.get("user") - user_data = me.json() - team_data = remote_app.get("user/teams") - teams = team_parser(team_data.json()) - roles = map_roles(teams) - log.debug(f"User info from Github: {user_data}\nTeam info from Github: {teams}") - return {"username": "github_" + user_data.get("login"), "role_keys": roles} - +The webserver authentication is handled by the auth manager. For more information about the webserver authentication, please refer to the auth manager documentation used by your environment. Review Comment: ```suggestion The webserver authentication is handled by the auth manager. For more information about webserver authentication, please refer to the auth manager documentation used by your environment. ``` ########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file </howto/set-config>`. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why different auth managers? +---------------------------- + +Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be Review Comment: ```suggestion Airflow is used by a lot of different users with many different configurations. Some Airflow environments might be ``` ########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file </howto/set-config>`. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why different auth managers? +---------------------------- + +Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be +used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) +users does not need the same user management as an environment used by thousand of them. + +This is why the whole user management (user authentication and user authorization) is packaged in one component +called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. + +By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager`. + +.. note:: + Switching to a different auth manager is a heavy operation and should be considered as such. It will + impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if + they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth + manager to the next. + +Writing Your Own Executor +------------------------- + +All Airflow auth managers implement a common interface so that they are pluggable and any auth manager has access +to all abilities and integrations within Airflow. This interface is used across Airflow to perform all user +authentication and user authorization related operation. + +The public interface is the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. +You can look through the code for the most detailed and up to date interface, but some important highlights are +outlined below. + +.. note:: + For more information about Airflow's public interface see :doc:`/public-airflow-interface`. + +Some reasons you may want to write a custom executor include: + +* An auth manager does not exist which fits your specific use case, such as a specific tool or service for user management. +* You'd like to use an auth manager that leverages an identity provider from your preferred cloud provider. +* You have a private user management tool that is only available to you or your organization. + + +Authentication related BaseAuthManager methods +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* ``is_logged_in``: Return whether the user user is signed-in. +* ``get_user``: Return the signed-in user. +* ``get_url_login``: Return the URL the user is redirected to for signing in. +* ``get_url_logout``: Return the URL the user is redirected to for signing out. + +Authorization related BaseAuthManager methods +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Most of authorization methods in :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` look the same. +Let's go over the different parameters used by most of these methods. + +* ``method``: Use HTTP method naming to determine the type of action being done on a specific resource. + + * ``GET``: Can the user read the resource? + * ``POST``: Can the user create a resource? + * ``PUT``: Can the user modify the resource? + * ``DELETE``: Can the user delete the resource? + +* ``details``: Optional details about the resource being accessed. +* ``user``: The user trying to access the resource. + +These authorization methods are: + +* ``is_authorized_configuration``: Return whether the user is authorized to access Airflow configuration. Some details about the configuration can be provided (e.g. the config section). +* ``is_authorized_connection``: Return whether the user is authorized to access Airflow connections. Some details about the connection can be provided (e.g. the connection ID). +* ``is_authorized_dag``: Return whether the user is authorized to access a DAG. Some details about the DAG can be provided (e.g. the DAG ID). + Also, ``is_authorized_dag`` is called for any entity related to DAGs (e.g. task instances, dag runs, ...). This information is passed in ``access_entity``. + Example: ``auth_manager.is_authorized_dag(method="GET", access_entity=DagAccessEntity.Run, details=DagDetails(id="dag-1"))`` asks + whether the user has permission to read the Dag runs of the dag "dag-1". +* ``is_authorized_dataset``: Return whether the user is authorized to access Airflow datasets. Some details about the dataset can be provided (e.g. the dataset uri). +* ``is_authorized_pool``: Return whether the user is authorized to access Airflow pools. Some details about the pool can be provided (e.g. the pool name). +* ``is_authorized_variable``: Return whether the user is authorized to access Airflow variables. Some details about the variable can be provided (e.g. the variable key). +* ``is_authorized_view``: Return whether the user is authorized to access a specific view in Airflow. The view is specified through ``access_view`` (e.g. ``AccessView.CLUSTER_ACTIVITY``). + +Optional methods recommended to override for optimization +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The following methods aren't required to override to have a functional Airflow auth manager. However, it is recommended to override these to make your auth manager faster (and potentially less costly): + +* ``batch_is_authorized_dag``: Batch version of ``is_authorized_dag``. If not overridden, it will call ``is_authorized_dag`` for every single item. +* ``batch_is_authorized_connection``: Batch version of ``is_authorized_connection``. If not overridden, it will call ``is_authorized_connection`` for every single item. +* ``batch_is_authorized_pool``: Batch version of ``is_authorized_pool``. If not overridden, it will call ``is_authorized_pool`` for every single item. +* ``batch_is_authorized_variable``: Batch version of ``is_authorized_variable``. If not overridden, it will call ``is_authorized_variable`` for every single item. +* ``get_permitted_dag_ids``: Return the list of DAG IDs the user has access to. If not overridden, it will call ``is_authorized_dag`` for every single DAG available in the environment. + +CLI +^^^ + +Auth managers may vend CLI commands which will be included in the ``airflow`` command line tool by implementing the ``get_cli_commands`` method. The commands can be used to setup required resources. Commands are only vended for the currently configured auth manager. A pseudo-code example of implementing CLI command vending from an auth manager can be seen below: + +.. code-block:: python + + @staticmethod + def get_cli_commands() -> list[CLICommand]: + sub_commands = [ + ActionCommand( + name="command_name", + help="Description of what this specific command does", + func=lazy_load_command("path.to.python.function.for.command"), + args=(), + ), + ] + + return [ + GroupCommand( + name="my_cool_auth_manager", + help="Description of what this group of commands do", + subcommands=sub_commands, + ), + ] + +.. note:: + Currently there are no strict rules in place for the Airflow command namespace. It is up to developers to use names for their CLI commands that are sufficiently unique so as to not cause conflicts with other Airflow components. + +.. note:: + When creating a new auth manager, or updating any existing auth manager, be sure to not import or execute any expensive operations/code at the module level. Auth manager classes are imported in several places and if they are slow to import this will negatively impact the performance of your Airflow environment, especially for CLI commands. + +Rest API +^^^^^^^^ + +Auth managers may vend Rest API endpoints which will be included in the :doc:`/stable-rest-api-ref` by implementing the ``get_api_endpoints`` method. The endpoints can be used to manage resources such as users, groups, roles (if any) handled by your auth manager. Endpoints are only vended for the currently configured auth manager. + +Next Steps +^^^^^^^^^^ + +Once you have created a new executor class implementing the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` interface, you can configure Airflow to use it by setting the ``core.auth_manager`` configuration value to the module path of your auth manager: Review Comment: copy/paste error ########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file </howto/set-config>`. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why different auth managers? +---------------------------- + +Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be +used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) +users does not need the same user management as an environment used by thousand of them. + +This is why the whole user management (user authentication and user authorization) is packaged in one component +called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. + +By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager`. + +.. note:: + Switching to a different auth manager is a heavy operation and should be considered as such. It will + impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if + they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth + manager to the next. + +Writing Your Own Executor +------------------------- + +All Airflow auth managers implement a common interface so that they are pluggable and any auth manager has access +to all abilities and integrations within Airflow. This interface is used across Airflow to perform all user +authentication and user authorization related operation. + +The public interface is the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. Review Comment: ```suggestion The public interface is :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. ``` ########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file </howto/set-config>`. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why different auth managers? Review Comment: Also, maybe expand Auth here? ```suggestion Why Pluggable Auth Managers? ``` ########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file </howto/set-config>`. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why different auth managers? +---------------------------- + +Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be +used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) +users does not need the same user management as an environment used by thousand of them. + +This is why the whole user management (user authentication and user authorization) is packaged in one component +called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. + +By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager`. + +.. note:: + Switching to a different auth manager is a heavy operation and should be considered as such. It will + impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if + they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth + manager to the next. + +Writing Your Own Executor Review Comment: Copy/pasta error. This also makes me realize your titles aren't all caps, do we want to stick with that or capitalize like this one is? ########## docs/apache-airflow/core-concepts/auth-manager.rst: ########## @@ -0,0 +1,174 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Auth manager +============ + +Auth manager is the component in Airflow to handle user authentication and user authorization. They have a common +API and are "pluggable", meaning you can swap auth managers based on your installation needs. + +Airflow can only have one auth manager configured at a time; this is set by the ``auth_manager`` option in the +``[core]`` section of :doc:`the configuration file </howto/set-config>`. + +.. note:: + For more information on Airflow's configuration, see :doc:`/howto/set-config`. + +If you want to check which auth manager is currently set, you can use the +``airflow config get-value core auth_manager`` command: + +.. code-block:: bash + + $ airflow config get-value core auth_manager + airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager + + +Why different auth managers? +---------------------------- + +Airflow is used by a lot of different users with a lot of different configurations. Some Airflow environment might be +used by only one user and some might be used by thousand of users. An Airflow environment with only one (or very few) +users does not need the same user management as an environment used by thousand of them. + +This is why the whole user management (user authentication and user authorization) is packaged in one component +called auth manager. So that it is easy to plug-and-play an auth manager that suits your specific needs. + +By default, Airflow comes with the :doc:`apache-airflow-providers-fab:auth-manager`. + +.. note:: + Switching to a different auth manager is a heavy operation and should be considered as such. It will + impact users of the environment. The sign-in and sign-off experience will very likely change and disturb them if + they are not advised. Plus, all current users and permissions will have to be copied over from the previous auth + manager to the next. + +Writing Your Own Executor +------------------------- + +All Airflow auth managers implement a common interface so that they are pluggable and any auth manager has access +to all abilities and integrations within Airflow. This interface is used across Airflow to perform all user +authentication and user authorization related operation. + +The public interface is the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. +You can look through the code for the most detailed and up to date interface, but some important highlights are +outlined below. + +.. note:: + For more information about Airflow's public interface see :doc:`/public-airflow-interface`. + +Some reasons you may want to write a custom executor include: + +* An auth manager does not exist which fits your specific use case, such as a specific tool or service for user management. +* You'd like to use an auth manager that leverages an identity provider from your preferred cloud provider. +* You have a private user management tool that is only available to you or your organization. + + +Authentication related BaseAuthManager methods +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* ``is_logged_in``: Return whether the user user is signed-in. Review Comment: ```suggestion * ``is_logged_in``: Return whether the user is signed-in. ``` ########## docs/apache-airflow/security/api.rst: ########## @@ -21,126 +21,11 @@ API API Authentication ------------------ -Authentication for the API is handled separately to the Web Authentication. The default is to -check the user session: - -.. code-block:: ini - - [api] - auth_backends = airflow.api.auth.backend.session - -.. versionchanged:: 1.10.11 - - In Airflow <1.10.11, the default setting was to allow all API requests without authentication, but this - posed security risks for if the Webserver is publicly accessible. - -.. versionchanged:: 2.3.0 - - In Airflow <2.3.0 this setting was ``auth_backend`` and allowed only one - value. In 2.3.0 it was changed to support multiple backends that are tried - in turn. - -If you want to check which authentication backends are currently set, you can use ``airflow config get-value api auth_backends`` -command as in the example below. - -.. code-block:: console - - $ airflow config get-value api auth_backends - airflow.api.auth.backend.basic_auth - -Disable authentication -'''''''''''''''''''''' - -If you wish to have the experimental API work, and aware of the risks of enabling this without authentication -(or if you have your own authentication layer in front of Airflow) you can set the following in ``airflow.cfg``: - -.. code-block:: ini - - [api] - auth_backends = airflow.api.auth.backend.default - -.. note:: - - You can only disable authentication for experimental API, not the stable REST API. - -See :doc:`../administration-and-deployment/modules_management` for details on how Python and Airflow manage modules. - -Kerberos authentication -''''''''''''''''''''''' - -Kerberos authentication is currently supported for the API. - -To enable Kerberos authentication, set the following in the configuration: - -.. code-block:: ini - - [api] - auth_backends = airflow.api.auth.backend.kerberos_auth - - [kerberos] - keytab = <KEYTAB> - -The Kerberos service is configured as ``airflow/fully.qualified.domainname@REALM``. Make sure this -principal exists in the keytab file. - -You have to make sure to name your users with the kerberos full username/realm in order to make it -works. This means that your user name should be ``user_name@KERBEROS-REALM``. - -Basic authentication -'''''''''''''''''''' - -`Basic username password authentication <https://en.wikipedia.org/wiki/Basic_access_authentication>`_ is currently -supported for the API. This works for users created through LDAP login or -within Airflow Metadata DB using password. - -To enable basic authentication, set the following in the configuration: - -.. code-block:: ini - - [api] - auth_backends = airflow.api.auth.backend.basic_auth - -Username and password needs to be base64 encoded and send through the -``Authorization`` HTTP header in the following format: - -.. code-block:: text - - Authorization: Basic Base64(username:password) - -Here is a sample curl command you can use to validate the setup: - -.. code-block:: bash - - ENDPOINT_URL="http://localhost:8080/" - curl -X GET \ - --user "username:password" \ - "${ENDPOINT_URL}/api/v1/pools" - -Note, you can still enable this setting to allow API access through username -password credential even though Airflow webserver might be using another -authentication method. Under this setup, only users created through LDAP or -``airflow users create`` command will be able to pass the API authentication. - -Roll your own API authentication -'''''''''''''''''''''''''''''''' - -Each auth backend is defined as a new Python module. It must have 2 defined methods: - -* ``init_app(app: Flask)`` - function invoked when creating a flask application, which allows you to add a new view. -* ``requires_authentication(fn: Callable)`` - a decorator that allows arbitrary code execution before and after or instead of a view function. - -and may have one of the following to support API client authorizations used by :ref:`remote mode for CLI <cli-remote>`: - -* function ``create_client_session() -> requests.Session`` -* attribute ``CLIENT_AUTH: tuple[str, str] | requests.auth.AuthBase | None`` - -After writing your backend module, provide the fully qualified module name in the ``auth_backends`` key in the ``[api]`` -section of ``airflow.cfg``. - -Additional options to your auth backend can be configured in ``airflow.cfg``, as a new option. +The API authentication is handled by the auth manager. For more information about the API authentication, please refer to the auth manager documentation used by your environment. Review Comment: ```suggestion The API authentication is handled by the auth manager. For more information about API authentication, please refer to the auth manager documentation used by your environment. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org