Airflow Summit 2025 is coming October 07-09. Register now for early bird ticket!

Deprecation Notice for airflow.security.permissions

Since the release of Airflow 3, the Flask AppBuilder (AKA “FAB”) provider is no longer a core Airflow dependency. However, some modules specifically designed for Flask AppBuilder (FAB) auth manager remain in the core Airflow distribution as a backwards-compatible convenience for Airflow users. One such module which remains in the core distribution for backwards compatibility purposes is airflow.security.permissions

If your deployment depends on airflow.security.permissions for any custom role definitions, or for any custom Auth Manager logic – regardless of whether you use the FAB Auth Manager or some other Auth Manager – you should transition to the new authorization standard definitions for resources and actions. The deprecated airflow.security.permissions will be removed in Airflow 4.

Does this Deprecation Affect My Airflow System?

Generally speaking, this deprecation warning applies to any Airflow system in which either of the following is true:

  • The Airflow deployment relies on airflow.security.permissions to define custom RBAC roles.

  • The Airflow deployment has other custom logic which relies on airflow.security.permissions, including any custom Auth manager dependencies.

However, if you rely on the unmodified Flask AppBuilder (FAB) auth manager and you do not use any custom role definitions, then the rest of this doc does not apply to you. Similarly, if you rely on the Simple auth manager or any of the other provider Auth Managers, and have no custom code using airflow.security.permissions, then the rest of this doc does not apply to you.

Note

Each customized Airflow RBAC setup differs on a case-by-case basis. As such, this doc can only provide general guidance for the transition to the new Airflow authorization standards, without being overly prescriptive.

How to Migrate to the New Authorization Standard Definitions

Refer to the list below for the deprecated permissions module components, and the corresponding supported replacement available from Airflow core:

  • airflow.security.permissions.ACTION_* –> airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod

  • airflow.security.permissions.RESOURCE_* –> airflow.api_fastapi.auth.managers.models.resource_details

  • DAG.access_control –> DAG-level permissions should be handled by the chosen Auth Manager’s filter_authorized_dag_ids method.

If you maintain a custom Auth manager which relies on the deprecated module, it is recommended you refer to the SimpleAuthManager’s source code as an example for how you might use the ResourceMethod and resource_details components.

If you rely on custom role definitions based off the deprecated module, you should refer to the documentation of the auth manager your system uses.

Was this entry helpful?