It certainly sounds doable and similar to the DAG-level access controls in many ways (see the soon to be merged PR <https://github.com/apache/incubator-airflow/pull/3197>). The new `airflow sync_perm` CLI command could insure the existence of one perm per "conn_id" as well as a "all_conn_id" perm.
Now RBAC is a web-only construct at the moment and I think it makes sense to keep it this way and build upon this assumption. This means that to check a perm, you need APIs that live only in the new web app: the RBAC related models are defined by FAB and are available through the SecurityManager (a FAB construct). This means re-writing the CLI to be lightweight and operate through REST, authenticate and all that good stuff. This makes things like a local backfill a bit complicated to think through, but the solution is probably for the local backfill to operate simply with a lower-level REST api. On the path to success we need to have a CLI that can operate without knowing the decryption key, and the end goal is a CLI that doesn't connect to the metadata database at all. Note that we could stub the FAB RBAC models in "Airflow core (models.py)" but personally I think leaving that on the web only and going through the (yet-to-be-built) REST API is the way to go. Also note that the current DAG-level access control only implements the web restrictions at the moment, none of it is applied at the CLI level, that has yet to be done. Another thought: it may make sense to break off `airflow-cli` as its own package though there are pros/cons here. Max On Fri, Jun 29, 2018 at 9:19 AM Naik Kaxil <k.n...@reply.com> wrote: > I would like to get thoughts on how you guys secure connections i.e. > Role-based control of connection. For example I don’t want Person A to use > connection X, or in other words I only want Person B to have access of > connection X. > > > > With RBAC in the master, it is possible but how do you guys achieve it in > version 1.9.0? > > > > Regards, > > Kaxil > > > Kaxil Naik > > Data Reply > 2nd Floor, Nova South > 160 Victoria Street, Westminster > London SW1E 5LB - UK > phone: +44 (0)20 7730 6000 > k.n...@reply.com > www.reply.com > > [image: Data Reply] >
