[ https://issues.apache.org/jira/browse/AIRFLOW-85?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15284880#comment-15284880 ]
Chris Riccomini edited comment on AIRFLOW-85 at 5/16/16 5:29 PM: ----------------------------------------------------------------- Based on a cursory investigation of Flask-Login, Flask-Principal, and [flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/], it seems like we should use Flask-Login to handle login, Flask-principal to manage user/group/roles, and flask-ldap3-login as the LDAP auth for login. There also appears to be at least one Flask-Login Kerberos plugin, which would give us parity with the existing auth mechanism. The question of how to manage viewer/edit access to specific DAGs remains. A simple approach would be to define permissions inside the DAG constructor in Python: {noformat} { 'criccomini': 'editor', 'fbar': viewer, } {noformat} We could then use Flask-Principal, to load the appropriate {{Need}}s when a user authenticates. was (Author: criccomini): Based on a cursory investigation of Flask-Login, Flask-Principal, and [flask-ldap3-login|https://pypi.python.org/pypi/flask-ldap3-login/], it seems like we should use Flask-Login to handle login, Flask-principal to manage user/group/roles, and flask-ldap3-login as the LDAP auth for login. There also appears to be at least one Flask-Login Kerberos plugin, which would give us parity with the existing auth mechanism. The question remains over how to manage viewer/edit access to specific DAGs. A simple approach would be to define permissions inside the DAG constructor in Python: {noformat} { 'criccomini': 'editor', 'fbar': viewer, } {noformat} We could then use Flask-Principal, to load the appropriate {{Need}}s when a user authenticates. > Create DAGs UI > -------------- > > Key: AIRFLOW-85 > URL: https://issues.apache.org/jira/browse/AIRFLOW-85 > Project: Apache Airflow > Issue Type: Bug > Components: security, ui > Reporter: Chris Riccomini > > Airflow currently provides only an {{/admin}} UI interface for the webapp. > This UI provides three distinct roles: > * Admin > * Data profiler > * None > In addition, Airflow currently provides the ability to log in, either via a > secure proxy front-end, or via LDAP/Kerberos, within the webapp. > We run Airflow with LDAP authentication enabled. This helps us control access > to the UI. However, there is insufficient granularity within the UI. We would > like to be able to grant users the ability to: > # View their DAGs, but no one else's. > # Control their DAGs, but no one else's. > This is not possible right now. You can take away the ability to access the > connections and data profiling tabs, but users can still see all DAGs, as > well as control the state of the DB by clearing any DAG status, etc. -- This message was sent by Atlassian JIRA (v6.3.4#6332)