Re: Airflow user management

[Thomas Weise <th...@apache.org>]

I was able to set a password from the command line, now I can login with
the user that was created through the UI.

Filtering by owner doesn't work though. I confirmed that the user also has
superuser = False, but still it can see DAGs of other users.

Any suggestions what to look for?

I tried to put some debug statements into www/views.py but they don't see
to take effect. How do I rebuild the installation (under
/usr/local/lib/python2.7/dist-packages/airflow) after making changes?

Thanks


On Fri, Mar 31, 2017 at 3:10 PM, Thomas Weise <th...@apache.org> wrote:

> Hi,
>
> I would like to create a few users that only can see their respective DAGs
> and have no global access like user administration.
> I have enabled password authentication and created the initial user as
> instructed here:
>
> https://airflow.incubator.apache.org/security.html?
> highlight=multi%20tenancy#web-authentication
>
> My airflow.cfg has the following settings:
>
> # Set to true to turn on authentication:
>
> # http://pythonhosted.org/airflow/security.html#web-authentication
>
> authenticate = True
>
> auth_backend = airflow.contrib.auth.backends.password_auth
>
> # Filter the list of dags by owner name (requires authentication to be
> enabled)
>
> filter_by_owner = True
>
> The (admin?) user that I created will after login see all DAGs (even
> though filtering was enabled) and is able to create other users. However,
> while creating new users through the UI, there seems to be no way to
> specify a password?
>
> Thanks,
>
> Thomas
>
>
>

Re: Airflow user management

[Thomas Weise <th...@apache.org>]

Hi,

I finally found that with username/password authentication, the superuser
setting in the database is ignored and everyone is a superuser...  See diff
below after which the filtering behaves as expected.

Thanks


*diff --git a/airflow/contrib/auth/backends/password_auth.py
b/airflow/contrib/auth/backends/password_auth.py*

*index 000b9861..7fe00197 100644*

*--- a/airflow/contrib/auth/backends/password_auth.py*

*+++ b/airflow/contrib/auth/backends/password_auth.py*

@@ -89,7 +89,7 @@ class PasswordUser(models.User):



     def is_superuser(self):

         '''Access all the things'''

-        return True

+        return False


On Mon, Apr 3, 2017 at 5:42 PM, Thomas Weise <th...@apache.org> wrote:

> I was able to set a password from the command line, now I can login with
> the user that was created through the UI.
>
> Filtering by owner doesn't work though. I confirmed that the user also has
> superuser = False, but still it can see DAGs of other users.
>
> Any suggestions what to look for?
>
> I tried to put some debug statements into www/views.py but they don't see
> to take effect. How do I rebuild the installation (under
> /usr/local/lib/python2.7/dist-packages/airflow) after making changes?
>
> Thanks
>
>
> On Fri, Mar 31, 2017 at 3:10 PM, Thomas Weise <th...@apache.org> wrote:
>
>> Hi,
>>
>> I would like to create a few users that only can see their respective
>> DAGs and have no global access like user administration.
>> I have enabled password authentication and created the initial user as
>> instructed here:
>>
>> https://airflow.incubator.apache.org/security.html?highlight
>> =multi%20tenancy#web-authentication
>>
>> My airflow.cfg has the following settings:
>>
>> # Set to true to turn on authentication:
>>
>> # http://pythonhosted.org/airflow/security.html#web-authentication
>>
>> authenticate = True
>>
>> auth_backend = airflow.contrib.auth.backends.password_auth
>>
>> # Filter the list of dags by owner name (requires authentication to be
>> enabled)
>>
>> filter_by_owner = True
>>
>> The (admin?) user that I created will after login see all DAGs (even
>> though filtering was enabled) and is able to create other users. However,
>> while creating new users through the UI, there seems to be no way to
>> specify a password?
>>
>> Thanks,
>>
>> Thomas
>>
>>
>>
>