You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airflow.apache.org by Gabriel Silk <gs...@dropbox.com.INVALID> on 2018/08/08 21:31:44 UTC
Custom authentication with RBAC
Hello Airflow devs,
It seems that it is not possible to use a custom auth backend with the new
RBAC web server, like it was with the old.
In the old webserver, you could simple set "webserver.auth_backend" to a
classname and implement any logic you like.
The absence of this feature is a blocker for adapting RBAC.
Is there any easy fix for this? Is it possible to extend FAB in a similar
way?
Thanks!
Re: Custom authentication with RBAC
Posted by Ravi Kotecha <ko...@gmail.com>.
Hi Gabriel,
We have extended the auth backend for FAB to support OpenIDConnect here:
https://github.com/ministryofjustice/fab-oidc
and you can see how to configure it in our helm chart
<https://github.com/ministryofjustice/analytics-platform-helm-charts/blob/master/charts/airflow-k8s/templates/configmap.yml#L338>
.
What auth scheme are you using? Maybe we can upstream the most common ones?
On Wed, Aug 8, 2018 at 10:31 PM Gabriel Silk <gs...@dropbox.com.invalid>
wrote:
> Hello Airflow devs,
>
> It seems that it is not possible to use a custom auth backend with the new
> RBAC web server, like it was with the old.
>
> In the old webserver, you could simple set "webserver.auth_backend" to a
> classname and implement any logic you like.
>
> The absence of this feature is a blocker for adapting RBAC.
>
> Is there any easy fix for this? Is it possible to extend FAB in a similar
> way?
>
> Thanks!
>
Re: Custom authentication with RBAC
Posted by Maxime Beauchemin <ma...@gmail.com>.
You can define your own AirflowSecurityManager based on FAB's
SecurityManager
http://flask-appbuilder.readthedocs.io/en/latest/security.html docs.
We should publish docs on how to do this.
Max
On Wed, Aug 8, 2018 at 2:31 PM Gabriel Silk <gs...@dropbox.com.invalid>
wrote:
> Hello Airflow devs,
>
> It seems that it is not possible to use a custom auth backend with the new
> RBAC web server, like it was with the old.
>
> In the old webserver, you could simple set "webserver.auth_backend" to a
> classname and implement any logic you like.
>
> The absence of this feature is a blocker for adapting RBAC.
>
> Is there any easy fix for this? Is it possible to extend FAB in a similar
> way?
>
> Thanks!
>