You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airflow.apache.org by Gabriel Silk <gs...@dropbox.com.INVALID> on 2018/08/08 21:31:44 UTC

Custom authentication with RBAC

Hello Airflow devs,

It seems that it is not possible to use a custom auth backend with the new
RBAC web server, like it was with the old.

In the old webserver, you could simple set "webserver.auth_backend" to a
classname and implement any logic you like.

The absence of this feature is a blocker for adapting RBAC.

Is there any easy fix for this? Is it possible to extend FAB in a similar
way?

Thanks!

Re: Custom authentication with RBAC

Posted by Ravi Kotecha <ko...@gmail.com>.

Hi Gabriel,

We have extended the auth backend for FAB to support OpenIDConnect here:
https://github.com/ministryofjustice/fab-oidc
and you can see how to configure it in our helm chart
<https://github.com/ministryofjustice/analytics-platform-helm-charts/blob/master/charts/airflow-k8s/templates/configmap.yml#L338>
.
What auth scheme are you using? Maybe we can upstream the most common ones?

On Wed, Aug 8, 2018 at 10:31 PM Gabriel Silk <gs...@dropbox.com.invalid>
wrote:

> Hello Airflow devs,
>
> It seems that it is not possible to use a custom auth backend with the new
> RBAC web server, like it was with the old.
>
> In the old webserver, you could simple set "webserver.auth_backend" to a
> classname and implement any logic you like.
>
> The absence of this feature is a blocker for adapting RBAC.
>
> Is there any easy fix for this? Is it possible to extend FAB in a similar
> way?
>
> Thanks!
>

Re: Custom authentication with RBAC

Posted by Maxime Beauchemin <ma...@gmail.com>.

You can define your own AirflowSecurityManager based on FAB's
SecurityManager
http://flask-appbuilder.readthedocs.io/en/latest/security.html docs.

We should publish docs on how to do this.

Max

On Wed, Aug 8, 2018 at 2:31 PM Gabriel Silk <gs...@dropbox.com.invalid>
wrote:

> Hello Airflow devs,
>
> It seems that it is not possible to use a custom auth backend with the new
> RBAC web server, like it was with the old.
>
> In the old webserver, you could simple set "webserver.auth_backend" to a
> classname and implement any logic you like.
>
> The absence of this feature is a blocker for adapting RBAC.
>
> Is there any easy fix for this? Is it possible to extend FAB in a similar
> way?
>
> Thanks!
>