You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airflow.apache.org by Chris McLennon <mc...@indeed.com.INVALID> on 2019/07/25 19:15:37 UTC

dev@airflow.apache.org

I'm in favor of keeping it to help further development around group
permissions.

Where I work, we run a multitenant Airflow shared by several teams, and we
make generous use of the owner field as a way to group dags together by
development team. I've implemented a custom Flask-AppBuilder
SecurityManager that syncs LDAP to Owner for permissions, which is much
more convenient than managing on a per-dag basis.

Owner could be a useful field in the future to help define other group
security permissions. For instance, it could be handy to specify which
owners have permission to use which Connection objects.

On 2019/06/26 10:06:50, Deng Xiaodong <x....@gmail.com> wrote:
> Sure thing :) Please refer to>
>
https://airflow.readthedocs.io/en/1.10.3post1/security.html?highlight=filter_by_owner#multi-tenancy>

>
>
> I didn’t use this feature myself though.>
>
>
> XD>
>
> On Wed, Jun 26, 2019 at 18:00 airflowuser>
> <ai...@protonmail.com.invalid> wrote:>
>
> > If I may ask...>
> > in the Old UI how do you filter DAGs by owner?>
> > I'm running 1.10.3 and in the Search bar it searches only DAG it
doesn't>
> > search by owner.>
> >>
> >>
> > Sent with ProtonMail Secure Email.>
> >>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐>
> > On Wednesday, June 26, 2019 12:27 PM, Deng Xiaodong <xd...@gmail.com>>
> > wrote:>
> >>
> > > Hi folks,>
> > >>
> > > In DAG Model, we have "owner" field. In earlier Flask-Admin based UI>
> > (which>
> > > is already removed in master branch), it was used by
"filter_by_user">
> > > config item in [webserver] section to help control access. But now
seems>
> > > it's not used anywhere already (correct me if I'm wrong).>
> > >>
> > > I would like to understand from the community: shall we remove this>
> > field?>
> > > Or there can be other usage on this field?>
> > >>
> > > One use case I have in mind is to use "owner" to enhance DAG-level
access>
> > > control. Currently the DAG-level access control is implemented by>
> > creating>
> > > a new permission for each DAG, which may be "tedious" to manage if
there>
> > > are many DAGs. We may use "owner" to group DAGs, so we can create
new>
> > > permission for each "owner" rather than creating new permission for
each>
> > > single DAG.>
> > >>
> > > Please share your thoughts. Thanks.>
> > >>
> > > Best regards,>
> > >>
> > > XD>
> >>
> >>
> >>
>