[ https://issues.apache.org/jira/browse/AIRFLOW-1856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anonymous reassigned AIRFLOW-1856: ---------------------------------- Assignee: (was: Lokesh Chinnaga) > How to allow airflow dags for concrete user(s) only? > ---------------------------------------------------- > > Key: AIRFLOW-1856 > URL: https://issues.apache.org/jira/browse/AIRFLOW-1856 > Project: Apache Airflow > Issue Type: Bug > Components: authentication, ui, webapp > Reporter: Ikar Pohorsky > Priority: Major > > The problem is pretty simple. I need to limit airflow web users to see and > execute only certain DAGs and tasks. > If possible, I'd prefer not to use > [Kerberos|https://airflow.incubator.apache.org/security.html#kerberos] nor > [OAuth|https://airflow.incubator.apache.org/security.html#oauth-authentication]. > The > [Multi-tenancy|https://airflow.incubator.apache.org/security.html#multi-tenancy] > option seems like an option to go, but couldn't make it work the way I > expect. > My current setup: > * added airflow web users _test_ and _ikar_ via [Web Authentication / > Password|https://airflow.incubator.apache.org/security.html#password] > * my unix username is _ikar_ with a home in _/home/ikar_ > * no _test_ unix user > * airflow _1.8.2_ is installed in _/home/ikar/airflow_ > * added two DAGs with one task: > ** one with _owner_ set to _ikar_ > ** one with _owner_ set to _test_ > * airflow.cfg: > {code} > [core] > # The home folder for airflow, default is ~/airflow > airflow_home = /home/ikar/airflow > # The folder where your airflow pipelines live, most likely a > # subfolder in a code repository > # This path must be absolute > dags_folder = /home/ikar/airflow-test/dags > # The folder where airflow should store its log files > # This path must be absolute > base_log_folder = /home/ikar/airflow/logs > # Airflow can store logs remotely in AWS S3 or Google Cloud Storage. Users > # must supply a remote location URL (starting with either 's3://...' or > # 'gs://...') and an Airflow connection id that provides access to the storage > # location. > remote_base_log_folder = > remote_log_conn_id = > # Use server-side encryption for logs stored in S3 > encrypt_s3_logs = False > > > # DEPRECATED option for remote log storage, use remote_base_log_folder > instead! > > s3_log_folder = > > > > > > # The executor class that airflow should use. Choices include > > > # SequentialExecutor, LocalExecutor, CeleryExecutor > > > executor = SequentialExecutor > > > > > > # The SqlAlchemy connection string to the metadata database. > > > # SqlAlchemy supports many different database engine, more information > > > # their website > > > sql_alchemy_conn = sqlite:////home/ikar/airflow/airflow.db > # The SqlAlchemy pool size is the maximum number of database connections > # in the pool. > sql_alchemy_pool_size = 5 > # The SqlAlchemy pool recycle is the number of seconds a connection > # can be idle in the pool before it is invalidated. This config does > # not apply to sqlite. > sql_alchemy_pool_recycle = 3600 > # The amount of parallelism as a setting to the executor. This defines > # the max number of task instances that should run simultaneously > # on this airflow installation > parallelism = 32 > # The number of task instances allowed to run concurrently by the scheduler > dag_concurrency = 16 > # Are DAGs paused by default at creation > dags_are_paused_at_creation = True > # When not using pools, tasks are run in the "default pool", > # whose size is guided by this config element > non_pooled_task_slot_count = 128 > # The maximum number of active DAG runs per DAG > max_active_runs_per_dag = 16 > # Whether to load the examples that ship with Airflow. It's good to > # get started, but you probably want to set this to False in a production > # environment > load_examples = False > # Where your Airflow plugins are stored > plugins_folder = /home/ikar/airflow/plugins > # Secret key to save connection passwords in the db > fernet_key = cryptography_not_found_storing_passwords_in_plain_text > # Whether to disable pickling dags > donot_pickle = False > # How long before timing out a python file import while filling the DagBag > dagbag_import_timeout = 30 > # The class to use for running task instances in a subprocess > task_runner = BashTaskRunner > # If set, tasks without a `run_as_user` argument will be run with this user > # Can be used to de-elevate a sudo user running Airflow when executing tasks > default_impersonation = > # What security module to use (for example kerberos): > security = > # Turn unit test mode on (overwrites many configuration options with test > # values at runtime) > unit_test_mode = False > [cli] > # In what way should the cli access the API. The LocalClient will use the > # database directly, while the json_client will use the api running on the > # webserver > api_client = airflow.api.client.local_client > endpoint_url = http://localhost:8888 > [api] > # How to authenticate users of the API > auth_backend = airflow.api.auth.backend.default > [operators] > # The default owner assigned to each new operator, unless > # provided explicitly or passed via `default_args` > default_owner = Airflow > default_cpus = 1 > default_ram = 512 > default_disk = 512 > default_gpus = 0 > [webserver] > # The base url of your website as airflow cannot guess what domain or > # cname you are using. This is used in automated emails that > # airflow sends to point links to the right web server > base_url = http://localhost:8888 > # The ip specified when starting the web server > web_server_host = 0.0.0.0 > # The port on which to run the web server > web_server_port = 8888 > # Paths to the SSL certificate and key for the web server. When both are > # provided SSL will be enabled. This does not change the web server port. > web_server_ssl_cert = > web_server_ssl_key = > # Number of seconds the gunicorn webserver waits before timing out on a worker > web_server_worker_timeout = 120 > # Number of workers to refresh at a time. When set to 0, worker refresh is > # disabled. When nonzero, airflow periodically refreshes webserver workers by > # bringing up new ones and killing old ones. > worker_refresh_batch_size = 1 > # Number of seconds to wait before refreshing a batch of workers. > worker_refresh_interval = 30 > # Secret key used to run your flask app > secret_key = temporary_key > # Number of workers to run the Gunicorn web server > workers = 4 > # The worker class gunicorn should use. Choices include > # sync (default), eventlet, gevent > worker_class = sync > # Log files for the gunicorn webserver. '-' means log to stderr. > access_logfile = - > error_logfile = - > # Expose the configuration file in the web server > expose_config = False > # Set to true to turn on authentication: > # http://pythonhosted.org/airflow/security.html#web-authentication > authenticate = True > auth_backend = airflow.contrib.auth.backends.password_auth > # Filter the list of dags by owner name (requires authentication to be > enabled) > filter_by_owner = True > # Filtering mode. Choices include user (default) and ldapgroup. > # Ldap group filtering requires using the ldap backend > # > # Note that the ldap server needs the "memberOf" overlay to be set up > # in order to user the ldapgroup mode. > owner_mode = user > # Default DAG orientation. Valid values are: > # LR (Left->Right), TB (Top->Bottom), RL (Right->Left), BT (Bottom->Top) > dag_orientation = LR > # Puts the webserver in demonstration mode; blurs the names of Operators for > # privacy. > demo_mode = False > # The amount of time (in secs) webserver will wait for initial handshake > # while fetching logs from other worker machine > log_fetch_timeout_sec = 5 > # By default, the webserver shows paused DAGs. Flip this to hide paused > # DAGs by default > hide_paused_dags_by_default = False > [email] > email_backend = airflow.utils.email.send_email_smtp > [smtp] > # If you want airflow to send emails on retries, failure, and you want to use > # the airflow.utils.email.send_email_smtp function, you have to configure an > # smtp server here > smtp_host = localhost > smtp_starttls = True > smtp_ssl = False > # Uncomment and set the user/pass settings if you want to use SMTP AUTH > # smtp_user = airflow > # smtp_password = airflow > smtp_port = 25 > smtp_mail_from = airf...@airflow.com > [celery] > # This section only applies if you are using the CeleryExecutor in > # [core] section above > # The app name that will be used by celery > celery_app_name = airflow.executors.celery_executor > # The concurrency that will be used when starting workers with the > # "airflow worker" command. This defines the number of task instances that > # a worker will take, so size up your workers based on the resources on > # your worker box and the nature of your tasks > celeryd_concurrency = 4 > # When you start an airflow worker, airflow starts a tiny web server > # subprocess to serve the workers local log files to the airflow main > # web server, who then builds pages and sends them to users. This defines > # the port on which the logs are served. It needs to be unused, and open > # visible from the main web server to connect into the workers. > worker_log_server_port = 8793 > # The Celery broker URL. Celery supports RabbitMQ, Redis and experimentally > # a sqlalchemy database. Refer to the Celery documentation for more > # information. > broker_url = sqla+mysql://airflow:airflow@localhost:3306/airflow > # Another key Celery setting > celery_result_backend = db+mysql://airflow:airflow@localhost:3306/airflow > # Celery Flower is a sweet UI for Celery. Airflow has a shortcut to start > # it `airflow flower`. This defines the IP that Celery Flower runs on > flower_host = 0.0.0.0 > # This defines the port that Celery Flower runs on > flower_port = 5555 > # Default queue that tasks get assigned to and that worker listen on. > default_queue = default > [scheduler] > # Task instances listen for external kill signal (when you clear tasks > # from the CLI or the UI), this defines the frequency at which they should > # listen (in seconds). > job_heartbeat_sec = 5 > # The scheduler constantly tries to trigger new tasks (look at the > # scheduler section in the docs for more information). This defines > # how often the scheduler should run (in seconds). > scheduler_heartbeat_sec = 5 > # after how much time should the scheduler terminate in seconds > # -1 indicates to run continuously (see also num_runs) > run_duration = -1 > # after how much time a new DAGs should be picked up from the filesystem > min_file_process_interval = 0 > dag_dir_list_interval = 300 > # How often should stats be printed to the logs > print_stats_interval = 30 > child_process_log_directory = /home/ikar/airflow/logs/scheduler > # Local task jobs periodically heartbeat to the DB. If the job has > # not heartbeat in this many seconds, the scheduler will mark the > # associated task instance as failed and will re-schedule the task. > scheduler_zombie_task_threshold = 300 > # Turn off scheduler catchup by setting this to False. > # Default behavior is unchanged and > # Command Line Backfills still work, but the scheduler > # will not do scheduler catchup if this is False, > # however it can be set on a per DAG basis in the > # DAG definition (catchup) > catchup_by_default = False > # Statsd (https://github.com/etsy/statsd) integration settings > statsd_on = False > statsd_host = localhost > statsd_port = 8125 > statsd_prefix = airflow > # The scheduler can run multiple threads in parallel to schedule dags. > # This defines how many threads will run. However airflow will never > # use more threads than the amount of cpu cores available. > max_threads = 2 > authenticate = False > [mesos] > # Mesos master address which MesosExecutor will connect to. > master = localhost:5050 > # The framework name which Airflow scheduler will register itself as on mesos > framework_name = Airflow > # Number of cpu cores required for running one task instance using > # 'airflow run <dag_id> <task_id> <execution_date> --local -p <pickle_id>' > # command on a mesos slave > task_cpu = 1 > # Memory in MB required for running one task instance using > # 'airflow run <dag_id> <task_id> <execution_date> --local -p <pickle_id>' > # command on a mesos slave > task_memory = 256 > # Enable framework checkpointing for mesos > # See http://mesos.apache.org/documentation/latest/slave-recovery/ > checkpoint = False > # Failover timeout in milliseconds. > # When checkpointing is enabled and this option is set, Mesos waits > # until the configured timeout for > # the MesosExecutor framework to re-register after a failover. Mesos > # shuts down running tasks if the > # MesosExecutor framework fails to re-register within this timeframe. > # failover_timeout = 604800 > # Enable framework authentication for mesos > # See http://mesos.apache.org/documentation/latest/configuration/ > authenticate = False > # Mesos credentials, if authentication is enabled > # default_principal = admin > # default_secret = admin > [kerberos] > ccache = /tmp/airflow_krb5_ccache > # gets augmented with fqdn > principal = airflow > reinit_frequency = 3600 > kinit_path = kinit > keytab = airflow.keytab > [github_enterprise] > api_rev = v3 > [admin] > # UI to hide sensitive variable fields when set to True > hide_sensitive_variable_fields = True > {code} > * sample DAG: > {code} > from datetime import datetime > from airflow import DAG > from airflow.operators.bash_operator import BashOperator > from core.path import REPO_PATH > test_template = """ > cd {{ params.path }}; python3 -m unittest --verbose {{ params.script }} > """ > with DAG( > dag_id="daily_tests", > schedule_interval="30 4 * * *", > default_args={'start_date': datetime(2017, 8, 25, hour=5)} > ) as dag: > BashOperator( > task_id="platform_test", > owner="ikar", > bash_command=test_template, > params={'path': "{}/tests/daily".format(REPO_PATH), 'script': > "test_platform.py"}, > ) > {code} > I'd expect that _test_ user will only see DAG with owner set to _test_ but > both users can see and execute both DAGs. > Searching issues by owner works great. > Couldn't find any detailed documentation on how to setup the user > restrictions for airflow DAGs. > Can anyone help? Am I missing something? > Is it possible that both user I've created are superusers? If so, how to make > them non-superusers? -- This message was sent by Atlassian JIRA (v7.6.3#76005)