• Home
• Core Concepts
• Auth manager
• Simple auth manager

↑↓ Navigate ⏎ Select Esc Close

Simple auth manager

Note

The Simple auth manager is intended for development and testing. If you’re using it in production, ensure that access is controlled through other means.

The simple auth manager is the auth manager that comes by default in Airflow 3. As its name suggests, the logic and implementation of the simple auth manager is simple.

• Generate JWT token with simple auth manager
• Simple auth manager token API

Manage users

Users are managed through the Airflow configuration. Example:

[core]
simple_auth_manager_users = "bob:admin,peter:viewer"

The list of users are separated with a comma and each user is a couple username/role separated by a colon. Each user needs two pieces of information:

• username. The user’s username

• role. The role associated to the user. For more information about these roles, see next section.

In the example above, two users are defined:

• bob whose role is admin

• peter whose role is viewer

The password is auto-generated for each user and printed out in the webserver logs. When generated, these passwords are saved in a file configured in core.simple_auth_manager_passwords_file. By default, this file is $AIRFLOW_HOME/simple_auth_manager_passwords.json.generated, you can read and update them directly in the file as well if desired.

Note

With Breeze, two users are predefined: admin and viewer (password is the same as the username). admin has all permissions. viewer has read-only permissions.

Manage roles and permissions

There is no option to manage roles and permissions in simple auth manager. They are defined as part of the simple auth manager implementation and cannot be modified. Here is the list of roles defined in simple auth manager. These roles can be associated to users.

• viewer. Read-only permissions on Dags, assets and pools

• user. viewer permissions plus all permissions (edit, create, delete) on Dags

• op. user permissions plus all permissions on pools, assets, config, connections and variables

• admin. All permissions

Multi-team

When multi-team mode is enabled, users can be associated with one or more teams. Teams provide resource isolation, allowing users to only access resources (DAGs, connections, variables, pools) that belong to their teams.

To enable multi-team mode:

[core]
multi_team = True

Once enabled, you can assign teams to users by adding a third parameter separated by a colon. Multiple teams are separated by a pipe (|) character:

[core]
multi_team = True
simple_auth_manager_users = "bob:admin:team1|team2,peter:viewer:team1,alice:op:team2"

In this example:

• bob is an admin with access to both team1 and team2 resources

• peter is a viewer with access to team1 resources only

• alice is an op with access to team2 resources only

Note

When a user is associated with teams, they can only access resources (DAGs, connections, variables, pools) that are explicitly assigned to one of their teams. Resources without a team assignment (global resources) are accessible to everyone, including users with team restrictions.

Note

Admin role grants the user access to all resources across all teams. You can still associate an admin user to teams but it will have no effect.

Optional features

Disable authentication and allow everyone as admin

This option allow you to disable authentication and allow everyone as admin. As a consequence, whoever access the Airflow UI is automatically logged in as an admin with all permissions.

you can enable this feature through the config. Example:

[core]
simple_auth_manager_all_admins = "True"

Previous Next

Was this entry helpful?