[ 
https://issues.apache.org/jira/browse/AIRFLOW-85?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15284880#comment-15284880
 ] 

Chris Riccomini edited comment on AIRFLOW-85 at 5/16/16 5:29 PM:
-----------------------------------------------------------------

Based on a cursory investigation of Flask-Login, Flask-Principal, and 
[flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/], it seems 
like we should use Flask-Login to handle login, Flask-principal to manage 
user/group/roles, and flask-ldap3-login as the LDAP auth for login.

There also appears to be at least one Flask-Login Kerberos plugin, which would 
give us parity with the existing auth mechanism.

The question of how to manage viewer/edit access to specific DAGs remains. A 
simple approach would be to define permissions inside the DAG constructor in 
Python:

{noformat}
{
  'criccomini': 'editor',
  'fbar': viewer,
}
{noformat}

We could then use Flask-Principal, to load the appropriate {{Needs}} when a 
user authenticates.


was (Author: criccomini):
Based on a cursory investigation of Flask-Login, Flask-Principal, and 
[flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/], it seems 
like we should use Flask-Login to handle login, Flask-principal to manage 
user/group/roles, and flask-ldap3-login as the LDAP auth for login.

There also appears to be at least one Flask-Login Kerberos plugin, which would 
give us parity with the existing auth mechanism.

The question of how to manage viewer/edit access to specific DAGs remains. A 
simple approach would be to define permissions inside the DAG constructor in 
Python:

{noformat}
{
  'criccomini': 'editor',
  'fbar': viewer,
}
{noformat}

We could then use Flask-Principal, to load the appropriate {{Need}}s when a 
user authenticates.

> Create DAGs UI
> --------------
>
>                 Key: AIRFLOW-85
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-85
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security, ui
>            Reporter: Chris Riccomini
>
> Airflow currently provides only an {{/admin}} UI interface for the webapp. 
> This UI provides three distinct roles:
> * Admin
> * Data profiler
> * None
> In addition, Airflow currently provides the ability to log in, either via a 
> secure proxy front-end, or via LDAP/Kerberos, within the webapp.
> We run Airflow with LDAP authentication enabled. This helps us control access 
> to the UI. However, there is insufficient granularity within the UI. We would 
> like to be able to grant users the ability to:
> # View their DAGs, but no one else's.
> # Control their DAGs, but no one else's.
> This is not possible right now. You can take away the ability to access the 
> connections and data profiling tabs, but users can still see all DAGs, as 
> well as control the state of the DB by clearing any DAG status, etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to