You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Chris Riccomini (JIRA)" <ji...@apache.org> on 2016/05/09 22:39:12 UTC

[jira] [Commented] (AIRFLOW-85) Create a viewer/editor roles for UI

    [ https://issues.apache.org/jira/browse/AIRFLOW-85?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15277214#comment-15277214 ] 

Chris Riccomini commented on AIRFLOW-85:
----------------------------------------

Initial idea is to create a {{/dags}} view parallel to {{/admin}}. The {{/dags}} view would have just the DAGs tab. The tab would filter the list to only show DAGs that the user is associated with. I think this would require a few things:

# A `viewer` role.
# An `editor` role.
# Some way to map viewers and editors to DAGs.
# Some way to map users to the viewer/editor role.

For (4), the idea of using [Flask principals|http://pythonhosted.org/Flask-Principal/] was thrown around. This seems logical to me.

For (3), I'm not quite sure what to do here. Does Flask principals provide some group management implementation? It seems ideal to manage this stuff from LDAP.

> Create a viewer/editor roles for UI
> -----------------------------------
>
>                 Key: AIRFLOW-85
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-85
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security, ui
>            Reporter: Chris Riccomini
>
> Airflow currently provides only an {{/admin}} UI interface for the webapp. This UI provides three distinct roles:
> * Admin
> * Data profiler
> * None
> In addition, Airflow currently provides the ability to log in, either via a secure proxy front-end, or via LDAP/Kerberos, within the webapp.
> We run Airflow with LDAP authentication enabled. This helps us control access to the UI. However, there is insufficient granularity within the UI. We would like to be able to grant users the ability to:
> # View their DAGs, but no one else's.
> # Control their DAGs, but no one else's.
> This is not possible right now. You can take away the ability to access the connections and data profiling tabs, but users can still see all DAGs, as well as control the state of the DB by clearing any DAG status, etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)