[
https://issues.apache.org/jira/browse/AIRFLOW-85?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15284880#comment-15284880
]
Chris Riccomini edited comment on AIRFLOW-85 at 5/16/16 5:29 PM:
-----------------------------------------------------------------
Based on a cursory investigation of Flask-Login, Flask-Principal, and
[flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/], it seems
like we should use Flask-Login to handle login, Flask-principal to manage
user/group/roles, and flask-ldap3-login as the LDAP auth for login.
There also appears to be at least one Flask-Login Kerberos plugin, which would
give us parity with the existing auth mechanism.
The question of how to manage viewer/edit access to specific DAGs remains. A
simple approach would be to define permissions inside the DAG constructor in
Python:
{noformat}
{
'criccomini': 'editor',
'fbar': viewer,
}
{noformat}
We could then use Flask-Principal, to load the appropriate {{Needs}} when a
user authenticates.
was (Author: criccomini):
Based on a cursory investigation of Flask-Login, Flask-Principal, and
[flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/], it seems
like we should use Flask-Login to handle login, Flask-principal to manage
user/group/roles, and flask-ldap3-login as the LDAP auth for login.
There also appears to be at least one Flask-Login Kerberos plugin, which would
give us parity with the existing auth mechanism.
The question of how to manage viewer/edit access to specific DAGs remains. A
simple approach would be to define permissions inside the DAG constructor in
Python:
{noformat}
{
'criccomini': 'editor',
'fbar': viewer,
}
{noformat}
We could then use Flask-Principal, to load the appropriate {{Need}}s when a
user authenticates.
> Create DAGs UI
> --------------
>
> Key: AIRFLOW-85
> URL: https://issues.apache.org/jira/browse/AIRFLOW-85
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Reporter: Chris Riccomini
>
> Airflow currently provides only an {{/admin}} UI interface for the webapp.
> This UI provides three distinct roles:
> * Admin
> * Data profiler
> * None
> In addition, Airflow currently provides the ability to log in, either via a
> secure proxy front-end, or via LDAP/Kerberos, within the webapp.
> We run Airflow with LDAP authentication enabled. This helps us control access
> to the UI. However, there is insufficient granularity within the UI. We would
> like to be able to grant users the ability to:
> # View their DAGs, but no one else's.
> # Control their DAGs, but no one else's.
> This is not possible right now. You can take away the ability to access the
> connections and data profiling tabs, but users can still see all DAGs, as
> well as control the state of the DB by clearing any DAG status, etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
