Hey Max, Sure we will discuss in our next meeting.
Cheers, Gurer On Thu, Jun 15, 2017 at 1:46 PM, Maxime Beauchemin < maximebeauche...@gmail.com> wrote: > @Gurer [our beloved Airflow PM at Airbnb], can we include this topic in > our roadmap planning for H2? > > Max > > On Thu, Jun 15, 2017 at 12:45 PM, kalpesh dharwadkar < > kalpeshdharwad...@gmail.com> wrote: > >> @Dan: >> >> Thanks for your feedback. I will remove the REFRESH_DAG permission. >> >> @Max: >> >> Thanks for your response. >> >> The scope of my proposal was just to add RBAC security feature to Airflow >> without replacing any existing frameworks. >> >> I understand that adopting FAB would serve Airflow better moving forward, >> however porting Airflow to using FAB significantly increases the scope of >> the proposal and I don't have the time and expertise to carry out the >> tasks >> in the extended scope. >> >> Hence, I'm curious to know if there's a plan for Airflow to migrate to FAB >> this year? >> >> - Kalpesh >> >> On Mon, Jun 12, 2017 at 6:16 PM, Maxime Beauchemin < >> maximebeauche...@gmail.com> wrote: >> >> > It would be nice to go with a framework for this. I did some >> > experimentation using FlaskAppBuilder to go in this direction. It >> provides >> > auth on different authentication backends out of the box (oauth, openid, >> > ldap, registration, ...), generates perms for each view that has an >> > @has_access decorator, generates at set of perms for each ORM model >> (show, >> > edit, delete, add, ...) and enforces it in the CRUD views as well as in >> the >> > generated REST api that you get for free as a byprdoduct of deriving >> FAB's >> > models (essentially it's SqlAlchemy with a layer on top). >> > >> > I started a POC on FAB here a while ago: >> > https://github.com/mistercrunch/airflow_webserver at the time my main >> > motivation was the free/instantaneous REST api. >> > >> > I think FAB is a decent fit as the porting should be fairly >> straightforward >> > (moving the flask views over and deprecating Flask-Admin in favor of >> FAB's >> > crud) though there was a few blockers. From memory I think FAB didn't >> like >> > the compound PKs we use in some of the Airflow models. We'd have to >> either >> > write a db migration script on the Airflow side, or add support for >> > compound keys to FAB (I recently became a maintainer of the project, so >> I >> > could help with that) >> > >> > The only downside of FAB is that it's not as mature as something like >> > Django, but porting to Django would surely be much more work. >> > >> > Then there's the flask-security suite, but that looks like a bit of a >> > patchwork to me, I guess we can pick and choose which we want to use. >> > >> > Max >> > >> > On Mon, Jun 12, 2017 at 12:50 PM, Dan Davydov < >> > dan.davy...@airbnb.com.invalid> wrote: >> > >> > > Looks good to me in general, thanks for putting this together! >> > > >> > > I think the ability to integrate with external RBAC systems like LDAP >> is >> > > important (i.e. the Airflow DB should not be decoupled with the RBAC >> > > database wherever possible). >> > > >> > > I wouldn't be too worried about the permissions about refreshing >> DAGs, as >> > > far as I know this functionality is no longer required with the new >> > > webservers which reload state periodically, and will certainly be >> removed >> > > when we have a better DAG consistency story. >> > > >> > > I think it would also be good to think about this >> proposal/implementation >> > > and how it applied in the API-driven world (e.g. when webserver hits >> APIs >> > > like /clear on behalf of users instead of running commands against the >> > > database directly). >> > > >> > > On Mon, Jun 12, 2017 at 11:12 AM, Bolke de Bruin <bdbr...@gmail.com> >> > > wrote: >> > > >> > > > Will respond but im traveling at the moment. Give me a few days. >> > > > >> > > > Sent from my iPhone >> > > > >> > > > > On 12 Jun 2017, at 13:39, Chris Riccomini <criccom...@apache.org> >> > > wrote: >> > > > > >> > > > > Hey all, >> > > > > >> > > > > Checking in on this. We spent a good chunk of time thinking about >> > this, >> > > > and >> > > > > want to move forward with it, but want to make sure we're all on >> the >> > > same >> > > > > page. >> > > > > >> > > > > Max? Bolke? Dan? Jeremiah? >> > > > > >> > > > > Cheers, >> > > > > Chris >> > > > > >> > > > > On Thu, Jun 8, 2017 at 1:49 PM, kalpesh dharwadkar < >> > > > > kalpeshdharwad...@gmail.com> wrote: >> > > > > >> > > > >> Hello everyone, >> > > > >> >> > > > >> As you all know, currently Airflow doesn’t have a built-in Role >> > Based >> > > > >> Access Control(RBAC) capability. It does provide very limited >> > > > >> authorization capability by providing admin, data_profiler, and >> user >> > > > roles. >> > > > >> However, associating these roles to authenticated identities is >> not >> > a >> > > > >> simple effort. >> > > > >> >> > > > >> To address this issue, I have created a design proposal for >> building >> > > > RBAC >> > > > >> into Airflow and simplifying user access management via the >> Airflow >> > > UI. >> > > > >> >> > > > >> The design proposal is located at https://cwiki.apache.org/ >> > > > >> confluence/display/AIRFLOW/Airflow+RBAC+proposal >> > > > >> >> > > > >> Any comments/questions/feedback are much appreciated. >> > > > >> >> > > > >> Thanks >> > > > >> Kalpesh >> > > > >> >> > > > >> > > >> > >> > >
