Re: [DISCUSS] AIP-94 Decouple Remote Commands from airflow CLI (to airflowctl)

Tue, 02 Sep 2025 20:43:38 -0700 

Hi Constance.
the airflow CLI is still needed for some admin commands which arequire DB access as well is used to start the server components. 


One example is DB migration, DB Cleaning utils. This can not be a remote 
command (chicken and egg problem).



But all (admin) commands which can be run from remote and do not need 
direct DB access are the ones that are proposed for airflowctl.



The overview and definition of different command types was described in 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=315493347#AIP81EnhancedSecurityinCLIviaIntegrationofAPI-Considerations



Actuelly I thought from my memory that the deprecation and removal was 
agreed already in AIP-81 - but of course we can re-discuss if it was not 
covered there.


Jens

On 02.09.25 17:41, Constance Martineau wrote:

Hi Buğra,

For my own knowledge: Is the goal to eventually fully deprecate the Airflow
CLI in favour of airflow-ctl?

Constance

On Sun, Aug 31, 2025 at 1:02 PM Buğra Öztürk <[email protected]>
wrote:


Hi all,

As many of you know, airflowctl is on the way for its 1.0.0 release step by
step and has already been stated as a dependency in AIP-94. Building on
that, I have drafted a new Airflow Improvement Proposal: Decouple Remote
Commands from airflow CLI (to airflowctl).

Today, many airflow CLI commands duplicate functionality that already
exists in the Public API/airflowctl. This results in:

    -

    Duplicate development effort (API + CLI both need maintenance),
    -

    Security risks (CLI can directly interact with the metadatabase,
    bypassing RBAC),
    -

    Inconsistent user experience (differences between CLI and API
behaviour).

With this AIP, the goal is to:

    -

    Deprecate Remote commands in the airflow CLI,
    -

    Provide equivalent functionality in a dedicated API-driven tool:
    airflowctl,
    -

    Ensure all Remote operations go through the API, strengthening RBAC and
    auditability*.*
    -

    Keep airflow CLI for local administrative commands only (e.g., db shell,
    process management).

This will simplify maintenance, improve security, and give users a clearer
separation between local vs. remote operations.

Full details are in the proposal in Confluence:
https://cwiki.apache.org/confluence/x/XorHFg

I would love to hear your thoughts, feedback, and concerns.

Thanks,
--
Bugra Ozturk



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to