GitHub user mateuscarestiato added a comment to the discussion: Native Airflow Dags Level Roles on Airflow 3.2.0
Hi @Emile1917! DAG-level access control changed significantly in Airflow 3.x with the removal of FAB (Flask-AppBuilder) as the default auth manager. What changed from Airflow 2.x: In Airflow 2.8 and below, DAG-level permissions were managed through FAB roles using permissions like can_read on DAG:my_dag_id. In Airflow 3.x, FAB is no longer the default — SimpleAuthManager is the new default, and it does not support DAG-level roles natively. Options in Airflow 3.2.0: Option 1: Use the API with asset-based access (native 3.x approach) Airflow 3.x is moving toward a new access model. Currently, SimpleAuthManager supports only admin/viewer-level roles globally. Option 2: Re-enable FabAuthManager (backwards compatible) If you need DAG-level roles like in 2.x, you can explicitly use FabAuthManager: ini # airflow.cfg [core] auth_manager = airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager Requires: pip install apache-airflow-providers-fab Then DAG-level permissions work as before: can_read on DAG:specific_dag_id → read-only access to that DAG can_edit on DAG:specific_dag_id → can trigger/pause that DAG Option 3: Use Keycloak / external IdP with custom auth manager For enterprise setups, implement a custom BaseAuthManager that maps user groups to DAG IDs. Prerequisites for FabAuthManager in 3.2.0: apache-airflow-providers-fab >= 2.0.0 Run airflow db migrate after enabling Re-create roles via the UI or airflow roles create The roadmap for native DAG-level RBAC in SimpleAuthManager is tracked in the Airflow GitHub issues — worth watching if you prefer not to use FAB. Let me know if you need help setting up FabAuthManager! GitHub link: https://github.com/apache/airflow/discussions/65580#discussioncomment-16886830 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
