You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/06/14 07:42:18 UTC

[GitHub] [airflow] msolano00 opened a new issue #16398: Enhance impersonation on Restful API

msolano00 opened a new issue #16398:
URL: https://github.com/apache/airflow/issues/16398


   **Description**
   I would like one parameter in the REST API configuration object (we can reuse the existing `run_as_user` maybe) to allow me trigger a DAG as an authenticated as long as this "superuser" has a role/policy that allows to impersonate other users. 
   
   **Use case / motivation**
   I want to build a task system that submits tasks to Airflow (along with other tools we use, in a SSO way). Users will be authenticated previously when logging to this tasks system and should be able to trigger DAGs. This DAGs have to run AS the user. WEBHDFS (Apache HDFS restful api) achieves something [similar](https://hadoop.apache.org/docs/r1.0.4/webhdfs.html#ProxyUsers).
   
   **Are you willing to submit a PR?**
   I would indeed! It might just take some time since I am fairly new to Airflow
   
   **Related Issues**
   Yes: https://github.com/apache/airflow/issues/982
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] boring-cyborg[bot] commented on issue #16398: Enhance impersonation on Restful API

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #16398:
URL: https://github.com/apache/airflow/issues/16398#issuecomment-859706875


   Thanks for opening your first issue here! Be sure to follow the issue template!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] msolano00 edited a comment on issue #16398: Enhance impersonation on Restful API

Posted by GitBox <gi...@apache.org>.

msolano00 edited a comment on issue #16398:
URL: https://github.com/apache/airflow/issues/16398#issuecomment-905896893


   @ashb Hi, thanks you for reply and sorry for the late response, got pulled into something at work.
   
   Yes, exactly that is the behavior. Have a property that allows authenticated users (like a service account) to run jobs as other users. 
   
   `So first step on this: we need to come up with a design for letting some properties of the dag be overridden based on the DagRun.`
   
   I will take a look into the core modules of airflow and reply back here once I have a better understanding of how it is being setup.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ashb commented on issue #16398: Enhance impersonation on Restful API

Posted by GitBox <gi...@apache.org>.

ashb commented on issue #16398:
URL: https://github.com/apache/airflow/issues/16398#issuecomment-875489732


   Do you want the run_as_user value of the dag to change based on which user submits the trigger DAG API call?
   
   That is not currently possible at all, so this is a bigger feature request than you might realise -- the run_as_user and all other task properties for a DAG come from the python file, and the python file only, so there's no real mechansim to control this.
   
   So first step on this: we need to come up with a design for letting some properties of the dag be overridden based on the DagRun.
   
   We have `dagrun.conf` already, which is one possible way, but that is only accessible to DAGs via template (i.e. `{{
   dag_run.conf.some_param }}`) which only applies to some fields.
   
   🤔 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] msolano00 commented on issue #16398: Enhance impersonation on Restful API

Posted by GitBox <gi...@apache.org>.

msolano00 commented on issue #16398:
URL: https://github.com/apache/airflow/issues/16398#issuecomment-905896893


   @ashb Hi, thanks you for reply!
   
   Yes, exactly that is the behavior. Have a property that allows authenticated users (like a service account) to run jobs as other users.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org