0

Is it possible to setup Airflow authentication process with LDAP for admins and superusers allowing read only access for anonymous user?

I wish I could provide code sample or something, but I don't even know where to start. For now I have a working LDAP connection and an ability to login without filters with my user.

fevgenym
  • 568
  • 7
  • 20

1 Answers1

2

To do so, you need to enable RBAC along with LDAP.

Airflow ships with a set of roles by default: Admin, User, Op, Viewer, and Public. Only Admin users could configure/alter the permissions for other roles. But it is not recommended that Admin users alter these default roles in any way by removing or adding permissions to these roles.

This blog post shows how steps are done.

In the AIRFLOW_HOME directory:

  1. modify airflow.cfg:
    • comment the existing LDAP configuration
    • comment 'authentication = True'
    • update 'rbac = True'

It's worth noting that there are some deprecated items in [webserver] section per latest version.

  1. create webserver_config.py file in the AIRFLOW_HOME directory with below configurations.

  2. truncate ab_user & ab_user_role table in your meta database

  3. restart airflow-webserver

  4. update AUTH_USER_REGISTRATION_ROLE = "Viewer" in webserver_config.py

  5. restart airflow-webserver again, now any new user login will be treated as viewer, login as admin to change their role accordingly.

  6. Ensure the python-ldap was installed: pip install python-ldap. In case getting error, following this thread.

webserver_config.py:

import os
from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(__file__))

SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')

CSRF_ENABLED = True

AUTH_TYPE = AUTH_LDAP

AUTH_ROLE_ADMIN = 'Admin'
AUTH_USER_REGISTRATION = True

AUTH_USER_REGISTRATION_ROLE = "Admin"
# AUTH_USER_REGISTRATION_ROLE = "Viewer"

AUTH_LDAP_SERVER = 'ldaps://$ldap:636/
AUTH_LDAP_SEARCH = "DC=domain,DC=organization,DC=com"
AUTH_LDAP_BIND_USER = 'CN=bind-user,OU=serviceAccounts,DC=domain,DC=organization,DC=com'
AUTH_LDAP_BIND_PASSWORD = '**************'
AUTH_LDAP_UID_FIELD = 'sAMAccountName'
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_ALLOW_SELF_SIGNED = False
AUTH_LDAP_TLS_CACERTFILE = '/etc/pki/ca-trust/source/anchors/$root_CA.crt'
Nguyen Van Duc
  • 1,019
  • 10
  • 9
  • thank you for a such detailed instruction, I'll check it today – fevgenym Feb 04 '20 at 08:08
  • Is it possible to configure AUTH_USER_REGISTRATION_ROLE from LDAP groups, I don't want to hardcode registration role in webserver_config.py. Please let me know if there is any way to map it to ldap. – Nitesh Saxena Oct 08 '20 at 19:23