FAB auth manager authentication¶
By default, FAB auth manager requires users to specify a password prior to login. You can use the following CLI commands to create an account:
# create an admin user
airflow users create \
--username admin \
--firstname Peter \
--lastname Parker \
--role Admin \
--email spiderman@superhero.org
To deactivate the authentication and allow users to be identified as Anonymous, the following entry
in $AIRFLOW_HOME/webserver_config.py
needs to be set with the desired role that the Anonymous
user will have by default:
AUTH_ROLE_PUBLIC = 'Admin'
Note
Airflow uses the config parser of Python. This config parser interpolates
‘%’-signs. Make sure escape any %
signs in your config file (but not
environment variables) as %%
, otherwise Airflow might leak these
passwords on a config parser exception to a log.
Password¶
One of the simplest mechanisms for authentication is requiring users to specify a password before logging in.
Please use command line interface airflow users create
to create accounts, or do that in the UI.
Other Methods¶
A webserver_config.py
configuration file is automatically generated and can be used to configure FAB auth manager to support authentication
methods like OAuth, OpenID, LDAP and REMOTE_USER. It should be noted that due to the limitation of Flask AppBuilder
and Authlib, some OAuth2 providers may not be supported. Currently supported providers include github
, githublocal
, twitter
,
linkedin
, google
, azure
, openshift
, okta
, auth0
, keycloak
, keycloak_before_17
and authentik
.
If your provider is not on the list, you may need to adjust the remote_app
configuration to match your provider’s OAuth2 specification.
By default, the following entry in the $AIRFLOW_HOME/webserver_config.py
is used.
AUTH_TYPE = AUTH_DB
A WSGI middleware could be used to manage very specific forms of authentication (e.g. SPNEGO) and leverage the REMOTE_USER method:
from typing import Any, Callable
from flask import current_app
from flask_appbuilder.const import AUTH_REMOTE_USER
class CustomMiddleware:
def __init__(self, wsgi_app: Callable) -> None:
self.wsgi_app = wsgi_app
def __call__(self, environ: dict, start_response: Callable) -> Any:
# Custom authenticating logic here
# ...
environ["REMOTE_USER"] = "username"
return self.wsgi_app(environ, start_response)
current_app.wsgi_app = CustomMiddleware(current_app.wsgi_app)
AUTH_TYPE = AUTH_REMOTE_USER
Another way to create users is in the UI login page, allowing user self registration through a “Register” button.
The following entries in the $AIRFLOW_HOME/webserver_config.py
can be edited to make it possible:
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Desired Role For The Self Registered User"
RECAPTCHA_PRIVATE_KEY = 'private_key'
RECAPTCHA_PUBLIC_KEY = 'public_key'
MAIL_SERVER = 'smtp.gmail.com'
MAIL_USE_TLS = True
MAIL_USERNAME = 'yourappemail@gmail.com'
MAIL_PASSWORD = 'passwordformail'
MAIL_DEFAULT_SENDER = 'sender@gmail.com'
The package Flask-Mail
needs to be installed through pip to allow user self registration since it is a
feature provided by the framework Flask-AppBuilder.
To support authentication through a third-party provider, the AUTH_TYPE
entry needs to be updated with the
desired option like OAuth, OpenID, LDAP, and the lines with references for the chosen option need to have
the comments removed and configured in the $AIRFLOW_HOME/webserver_config.py
.
For more details, please refer to Security section of FAB documentation.