| |
| |
| |
| |
| <!DOCTYPE html> |
| <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> |
| <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <title>Security — Airflow Documentation</title> |
| |
| |
| |
| |
| |
| |
| |
| |
| <script type="text/javascript" src="_static/js/modernizr.min.js"></script> |
| |
| |
| <script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script> |
| <script type="text/javascript" src="_static/jquery.js"></script> |
| <script type="text/javascript" src="_static/underscore.js"></script> |
| <script type="text/javascript" src="_static/doctools.js"></script> |
| <script type="text/javascript" src="_static/language_data.js"></script> |
| |
| <script type="text/javascript" src="_static/js/theme.js"></script> |
| |
| |
| |
| |
| <link rel="stylesheet" href="_static/css/theme.css" type="text/css" /> |
| <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> |
| <link rel="index" title="Index" href="genindex.html" /> |
| <link rel="search" title="Search" href="search.html" /> |
| <link rel="next" title="Time zones" href="timezone.html" /> |
| <link rel="prev" title="Plugins" href="plugins.html" /> |
| |
| <script> |
| document.addEventListener('DOMContentLoaded', function() { |
| var el = document.getElementById('changelog'); |
| if (el !== null ) { |
| // [AIRFLOW-...] |
| el.innerHTML = el.innerHTML.replace( |
| /\[(AIRFLOW-[\d]+)\]/g, |
| `<a href="https://issues.apache.org/jira/browse/$1">[$1]</a>` |
| ); |
| // (#...) |
| el.innerHTML = el.innerHTML.replace( |
| /\(#([\d]+)\)/g, |
| `<a href="https://github.com/apache/airflow/pull/$1">(#$1)</a>` |
| ); |
| }; |
| }) |
| </script> |
| <style> |
| .example-header { |
| position: relative; |
| background: #9AAA7A; |
| padding: 8px 16px; |
| margin-bottom: 0; |
| } |
| .example-header--with-button { |
| padding-right: 166px; |
| } |
| .example-header:after{ |
| content: ''; |
| display: table; |
| clear: both; |
| } |
| .example-title { |
| display:block; |
| padding: 4px; |
| margin-right: 16px; |
| color: white; |
| overflow-x: auto; |
| } |
| .example-header-button { |
| top: 8px; |
| right: 16px; |
| position: absolute; |
| } |
| .example-header + .highlight-python { |
| margin-top: 0 !important; |
| } |
| .viewcode-button { |
| display: inline-block; |
| padding: 8px 16px; |
| border: 0; |
| margin: 0; |
| outline: 0; |
| border-radius: 2px; |
| -webkit-box-shadow: 0 3px 5px 0 rgba(0,0,0,.3); |
| box-shadow: 0 3px 6px 0 rgba(0,0,0,.3); |
| color: #404040; |
| background-color: #e7e7e7; |
| cursor: pointer; |
| font-size: 16px; |
| font-weight: 500; |
| line-height: 1; |
| text-decoration: none; |
| text-overflow: ellipsis; |
| overflow: hidden; |
| text-transform: uppercase; |
| -webkit-transition: background-color .2s; |
| transition: background-color .2s; |
| vertical-align: middle; |
| white-space: nowrap; |
| } |
| .viewcode-button:visited { |
| color: #404040; |
| } |
| .viewcode-button:hover, .viewcode-button:focus { |
| color: #404040; |
| background-color: #d6d6d6; |
| } |
| </style> |
| |
| <script type="application/javascript"> |
| window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; |
| ga("create", "UA-140539454-1", "auto"); |
| ga("send", "pageview"); |
| </script> |
| <script async src="https://www.google-analytics.com/analytics.js"></script> |
| </head> |
| |
| |
| <body class="wy-body-for-nav"> |
| |
| |
| <div class="wy-grid-for-nav"> |
| |
| <nav data-toggle="wy-nav-shift" class="wy-nav-side"> |
| <div class="wy-side-scroll"> |
| <div class="wy-side-nav-search" > |
| |
| |
| |
| <a href="index.html" class="icon icon-home"> Airflow |
| |
| |
| |
| </a> |
| |
| |
| |
| |
| <div class="version"> |
| 1.10.4 |
| </div> |
| |
| |
| |
| |
| <div role="search"> |
| <form id="rtd-search-form" class="wy-form" action="search.html" method="get"> |
| <input type="text" name="q" placeholder="Search docs" /> |
| <input type="hidden" name="check_keywords" value="yes" /> |
| <input type="hidden" name="area" value="default" /> |
| </form> |
| </div> |
| |
| |
| </div> |
| |
| <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> |
| |
| |
| |
| |
| |
| |
| <ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="project.html">Project</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="license.html">License</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="start.html">Quick Start</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="installation.html">Installation</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="tutorial.html">Tutorial</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="howto/index.html">How-to Guides</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="ui.html">UI / Screenshots</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="concepts.html">Concepts</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="profiling.html">Data Profiling</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="cli.html">Command Line Interface</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="scheduler.html">Scheduling & Triggers</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="plugins.html">Plugins</a></li> |
| <li class="toctree-l1 current"><a class="current reference internal" href="#">Security</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="#web-authentication">Web Authentication</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#password">Password</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#ldap">LDAP</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#roll-your-own">Roll your own</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#multi-tenancy">Multi-tenancy</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#kerberos">Kerberos</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#limitations">Limitations</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#enabling-kerberos">Enabling kerberos</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#airflow">Airflow</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#hadoop">Hadoop</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#using-kerberos-authentication">Using kerberos authentication</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#oauth-authentication">OAuth Authentication</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#github-enterprise-ghe-authentication">GitHub Enterprise (GHE) Authentication</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#setting-up-ghe-authentication">Setting up GHE Authentication</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#using-ghe-authentication-with-github-com">Using GHE Authentication with github.com</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#google-authentication">Google Authentication</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#setting-up-google-authentication">Setting up Google Authentication</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#ssl">SSL</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#impersonation">Impersonation</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#default-impersonation">Default Impersonation</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#flower-authentication">Flower Authentication</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#rbac-ui-security">RBAC UI Security</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#default-roles">Default Roles</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#admin">Admin</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#public">Public</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#viewer">Viewer</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#user">User</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#op">Op</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#custom-roles">Custom Roles</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#dag-level-role">DAG Level Role</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="timezone.html">Time zones</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="api.html">Experimental Rest API</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="integration.html">Integration</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="metrics.html">Metrics</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="kubernetes.html">Kubernetes</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="lineage.html">Lineage</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="changelog.html">Changelog</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="faq.html">FAQ</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="macros.html">Macros reference</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="_api/index.html">API Reference</a></li> |
| </ul> |
| |
| |
| |
| </div> |
| </div> |
| </nav> |
| |
| <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> |
| |
| |
| <nav class="wy-nav-top" aria-label="top navigation"> |
| |
| <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| <a href="index.html">Airflow</a> |
| |
| </nav> |
| |
| |
| <div class="wy-nav-content"> |
| |
| <div class="rst-content"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <div role="navigation" aria-label="breadcrumbs navigation"> |
| |
| <ul class="wy-breadcrumbs"> |
| |
| <li><a href="index.html">Docs</a> »</li> |
| |
| <li>Security</li> |
| |
| |
| <li class="wy-breadcrumbs-aside"> |
| |
| |
| <a href="_sources/security.rst.txt" rel="nofollow"> View page source</a> |
| |
| |
| </li> |
| |
| </ul> |
| |
| |
| <hr/> |
| </div> |
| <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> |
| <div itemprop="articleBody"> |
| |
| <div class="section" id="security"> |
| <h1>Security<a class="headerlink" href="#security" title="Permalink to this headline">¶</a></h1> |
| <p>By default, all gates are opened. An easy way to restrict access |
| to the web application is to do it at the network level, or by using |
| SSH tunnels.</p> |
| <p>It is however possible to switch on authentication by either using one of the supplied |
| backends or creating your own.</p> |
| <p>Be sure to checkout <a class="reference internal" href="api.html"><span class="doc">Experimental Rest API</span></a> for securing the API.</p> |
| <div class="admonition note"> |
| <p class="admonition-title">Note</p> |
| <p>Airflow uses the config parser of Python. This config parser interpolates |
| ‘%’-signs. Make sure escape any <code class="docutils literal notranslate"><span class="pre">%</span></code> signs in your config file (but not |
| environment variables) as <code class="docutils literal notranslate"><span class="pre">%%</span></code>, otherwise Airflow might leak these |
| passwords on a config parser exception to a log.</p> |
| </div> |
| <div class="section" id="web-authentication"> |
| <h2>Web Authentication<a class="headerlink" href="#web-authentication" title="Permalink to this headline">¶</a></h2> |
| <div class="section" id="password"> |
| <h3>Password<a class="headerlink" href="#password" title="Permalink to this headline">¶</a></h3> |
| <div class="admonition note"> |
| <p class="admonition-title">Note</p> |
| <p>This is for flask-admin based web UI only. If you are using FAB-based web UI with RBAC feature, |
| please use command line interface <code class="docutils literal notranslate"><span class="pre">create_user</span></code> to create accounts, or do that in the FAB-based UI itself.</p> |
| </div> |
| <p>One of the simplest mechanisms for authentication is requiring users to specify a password before logging in. |
| Password authentication requires the used of the <code class="docutils literal notranslate"><span class="pre">password</span></code> subpackage in your requirements file. Password hashing |
| uses <code class="docutils literal notranslate"><span class="pre">bcrypt</span></code> before storing passwords.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.password_auth |
| </pre></div> |
| </div> |
| <p>When password auth is enabled, an initial user credential will need to be created before anyone can login. An initial |
| user was not created in the migrations for this authentication backend to prevent default Airflow installations from |
| attack. Creating a new user has to be done via a Python REPL on the same machine Airflow is installed.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># navigate to the airflow installation directory</span> |
| $ <span class="nb">cd</span> ~/airflow |
| $ python |
| Python <span class="m">2</span>.7.9 <span class="o">(</span>default, Feb <span class="m">10</span> <span class="m">2015</span>, <span class="m">03</span>:28:08<span class="o">)</span> |
| Type <span class="s2">"help"</span>, <span class="s2">"copyright"</span>, <span class="s2">"credits"</span> or <span class="s2">"license"</span> <span class="k">for</span> more information. |
| >>> import airflow |
| >>> from airflow import models, settings |
| >>> from airflow.contrib.auth.backends.password_auth import PasswordUser |
| >>> <span class="nv">user</span> <span class="o">=</span> PasswordUser<span class="o">(</span>models.User<span class="o">())</span> |
| >>> user.username <span class="o">=</span> <span class="s1">'new_user_name'</span> |
| >>> user.email <span class="o">=</span> <span class="s1">'new_user_email@example.com'</span> |
| >>> user.password <span class="o">=</span> <span class="s1">'set_the_password'</span> |
| >>> <span class="nv">session</span> <span class="o">=</span> settings.Session<span class="o">()</span> |
| >>> session.add<span class="o">(</span>user<span class="o">)</span> |
| >>> session.commit<span class="o">()</span> |
| >>> session.close<span class="o">()</span> |
| >>> exit<span class="o">()</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="ldap"> |
| <h3>LDAP<a class="headerlink" href="#ldap" title="Permalink to this headline">¶</a></h3> |
| <p>To turn on LDAP authentication configure your <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> as follows. Please note that the example uses |
| an encrypted connection to the ldap server as we do not want passwords be readable on the network level.</p> |
| <p>Additionally, if you are using Active Directory, and are not explicitly specifying an OU that your users are in, |
| you will need to change <code class="docutils literal notranslate"><span class="pre">search_scope</span></code> to “SUBTREE”.</p> |
| <p>Valid search_scope options can be found in the <a class="reference external" href="http://ldap3.readthedocs.org/searches.html?highlight=search_scope">ldap3 Documentation</a></p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.ldap_auth |
| |
| <span class="o">[</span>ldap<span class="o">]</span> |
| <span class="c1"># set a connection without encryption: uri = ldap://<your.ldap.server>:<port></span> |
| <span class="nv">uri</span> <span class="o">=</span> ldaps://<your.ldap.server>:<port> |
| <span class="nv">user_filter</span> <span class="o">=</span> <span class="nv">objectClass</span><span class="o">=</span>* |
| <span class="c1"># in case of Active Directory you would use: user_name_attr = sAMAccountName</span> |
| <span class="nv">user_name_attr</span> <span class="o">=</span> uid |
| <span class="c1"># group_member_attr should be set accordingly with *_filter</span> |
| <span class="c1"># eg :</span> |
| <span class="c1"># group_member_attr = groupMembership</span> |
| <span class="c1"># superuser_filter = groupMembership=CN=airflow-super-users...</span> |
| <span class="nv">group_member_attr</span> <span class="o">=</span> memberOf |
| <span class="nv">superuser_filter</span> <span class="o">=</span> <span class="nv">memberOf</span><span class="o">=</span><span class="nv">CN</span><span class="o">=</span>airflow-super-users,OU<span class="o">=</span>Groups,OU<span class="o">=</span>RWC,OU<span class="o">=</span>US,OU<span class="o">=</span>NORAM,DC<span class="o">=</span>example,DC<span class="o">=</span>com |
| <span class="nv">data_profiler_filter</span> <span class="o">=</span> <span class="nv">memberOf</span><span class="o">=</span><span class="nv">CN</span><span class="o">=</span>airflow-data-profilers,OU<span class="o">=</span>Groups,OU<span class="o">=</span>RWC,OU<span class="o">=</span>US,OU<span class="o">=</span>NORAM,DC<span class="o">=</span>example,DC<span class="o">=</span>com |
| <span class="nv">bind_user</span> <span class="o">=</span> <span class="nv">cn</span><span class="o">=</span>Manager,dc<span class="o">=</span>example,dc<span class="o">=</span>com |
| <span class="nv">bind_password</span> <span class="o">=</span> insecure |
| <span class="nv">basedn</span> <span class="o">=</span> <span class="nv">dc</span><span class="o">=</span>example,dc<span class="o">=</span>com |
| <span class="nv">cacert</span> <span class="o">=</span> /etc/ca/ldap_ca.crt |
| <span class="c1"># Set search_scope to one of them: BASE, LEVEL , SUBTREE</span> |
| <span class="c1"># Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit</span> |
| <span class="nv">search_scope</span> <span class="o">=</span> LEVEL |
| |
| <span class="c1"># This option tells ldap3 to ignore schemas that are considered malformed. This sometimes comes up</span> |
| <span class="c1"># when using hosted ldap services.</span> |
| <span class="nv">ignore_malformed_schema</span> <span class="o">=</span> False |
| </pre></div> |
| </div> |
| <p>The superuser_filter and data_profiler_filter are optional. If defined, these configurations allow you to specify LDAP groups that users must belong to in order to have superuser (admin) and data-profiler permissions. If undefined, all users will be superusers and data profilers.</p> |
| </div> |
| <div class="section" id="roll-your-own"> |
| <h3>Roll your own<a class="headerlink" href="#roll-your-own" title="Permalink to this headline">¶</a></h3> |
| <p>Airflow uses <code class="docutils literal notranslate"><span class="pre">flask_login</span></code> and |
| exposes a set of hooks in the <code class="docutils literal notranslate"><span class="pre">airflow.default_login</span></code> module. You can |
| alter the content and make it part of the <code class="docutils literal notranslate"><span class="pre">PYTHONPATH</span></code> and configure it as a backend in <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> mypackage.auth |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="multi-tenancy"> |
| <h2>Multi-tenancy<a class="headerlink" href="#multi-tenancy" title="Permalink to this headline">¶</a></h2> |
| <p>You can filter the list of dags in webserver by owner name when authentication |
| is turned on by setting <code class="docutils literal notranslate"><span class="pre">webserver:filter_by_owner</span></code> in your config. With this, a user will see |
| only the dags which it is owner of, unless it is a superuser.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">filter_by_owner</span> <span class="o">=</span> True |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="kerberos"> |
| <h2>Kerberos<a class="headerlink" href="#kerberos" title="Permalink to this headline">¶</a></h2> |
| <p>Airflow has initial support for Kerberos. This means that airflow can renew kerberos |
| tickets for itself and store it in the ticket cache. The hooks and dags can make use of ticket |
| to authenticate against kerberized services.</p> |
| <div class="section" id="limitations"> |
| <h3>Limitations<a class="headerlink" href="#limitations" title="Permalink to this headline">¶</a></h3> |
| <p>Please note that at this time, not all hooks have been adjusted to make use of this functionality. |
| Also it does not integrate kerberos into the web interface and you will have to rely on network |
| level security for now to make sure your service remains secure.</p> |
| <p>Celery integration has not been tried and tested yet. However, if you generate a key tab for every |
| host and launch a ticket renewer next to every worker it will most likely work.</p> |
| </div> |
| <div class="section" id="enabling-kerberos"> |
| <h3>Enabling kerberos<a class="headerlink" href="#enabling-kerberos" title="Permalink to this headline">¶</a></h3> |
| <div class="section" id="airflow"> |
| <h4>Airflow<a class="headerlink" href="#airflow" title="Permalink to this headline">¶</a></h4> |
| <p>To enable kerberos you will need to generate a (service) key tab.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># in the kadmin.local or kadmin shell, create the airflow principal</span> |
| kadmin: addprinc -randkey airflow/fully.qualified.domain.name@YOUR-REALM.COM |
| |
| <span class="c1"># Create the airflow keytab file that will contain the airflow principal</span> |
| kadmin: xst -norandkey -k airflow.keytab airflow/fully.qualified.domain.name |
| </pre></div> |
| </div> |
| <p>Now store this file in a location where the airflow user can read it (chmod 600). And then add the following to |
| your <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code></p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>core<span class="o">]</span> |
| <span class="nv">security</span> <span class="o">=</span> kerberos |
| |
| <span class="o">[</span>kerberos<span class="o">]</span> |
| <span class="nv">keytab</span> <span class="o">=</span> /etc/airflow/airflow.keytab |
| <span class="nv">reinit_frequency</span> <span class="o">=</span> <span class="m">3600</span> |
| <span class="nv">principal</span> <span class="o">=</span> airflow |
| </pre></div> |
| </div> |
| <p>Launch the ticket renewer by</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># run ticket renewer</span> |
| airflow kerberos |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="hadoop"> |
| <h4>Hadoop<a class="headerlink" href="#hadoop" title="Permalink to this headline">¶</a></h4> |
| <p>If want to use impersonation this needs to be enabled in <code class="docutils literal notranslate"><span class="pre">core-site.xml</span></code> of your hadoop config.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><property> |
| <name>hadoop.proxyuser.airflow.groups</name> |
| <value>*</value> |
| </property> |
| |
| <property> |
| <name>hadoop.proxyuser.airflow.users</name> |
| <value>*</value> |
| </property> |
| |
| <property> |
| <name>hadoop.proxyuser.airflow.hosts</name> |
| <value>*</value> |
| </property> |
| </pre></div> |
| </div> |
| <p>Of course if you need to tighten your security replace the asterisk with something more appropriate.</p> |
| </div> |
| </div> |
| <div class="section" id="using-kerberos-authentication"> |
| <h3>Using kerberos authentication<a class="headerlink" href="#using-kerberos-authentication" title="Permalink to this headline">¶</a></h3> |
| <p>The hive hook has been updated to take advantage of kerberos authentication. To allow your DAGs to |
| use it, simply update the connection details with, for example:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">{</span> <span class="s2">"use_beeline"</span>: true, <span class="s2">"principal"</span>: <span class="s2">"hive/_HOST@EXAMPLE.COM"</span><span class="o">}</span> |
| </pre></div> |
| </div> |
| <p>Adjust the principal to your settings. The _HOST part will be replaced by the fully qualified domain name of |
| the server.</p> |
| <p>You can specify if you would like to use the dag owner as the user for the connection or the user specified in the login |
| section of the connection. For the login user, specify the following as extra:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">{</span> <span class="s2">"use_beeline"</span>: true, <span class="s2">"principal"</span>: <span class="s2">"hive/_HOST@EXAMPLE.COM"</span>, <span class="s2">"proxy_user"</span>: <span class="s2">"login"</span><span class="o">}</span> |
| </pre></div> |
| </div> |
| <p>For the DAG owner use:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">{</span> <span class="s2">"use_beeline"</span>: true, <span class="s2">"principal"</span>: <span class="s2">"hive/_HOST@EXAMPLE.COM"</span>, <span class="s2">"proxy_user"</span>: <span class="s2">"owner"</span><span class="o">}</span> |
| </pre></div> |
| </div> |
| <p>and in your DAG, when initializing the HiveOperator, specify:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="nv">run_as_owner</span><span class="o">=</span>True |
| </pre></div> |
| </div> |
| <p>To use kerberos authentication, you must install Airflow with the <cite>kerberos</cite> extras group:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>pip install <span class="s1">'apache-airflow[kerberos]'</span> |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="oauth-authentication"> |
| <h2>OAuth Authentication<a class="headerlink" href="#oauth-authentication" title="Permalink to this headline">¶</a></h2> |
| <div class="section" id="github-enterprise-ghe-authentication"> |
| <h3>GitHub Enterprise (GHE) Authentication<a class="headerlink" href="#github-enterprise-ghe-authentication" title="Permalink to this headline">¶</a></h3> |
| <p>The GitHub Enterprise authentication backend can be used to authenticate users |
| against an installation of GitHub Enterprise using OAuth2. You can optionally |
| specify a team whitelist (composed of slug cased team names) to restrict login |
| to only members of those teams.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.github_enterprise_auth |
| |
| <span class="o">[</span>github_enterprise<span class="o">]</span> |
| <span class="nv">host</span> <span class="o">=</span> github.example.com |
| <span class="nv">client_id</span> <span class="o">=</span> oauth_key_from_github_enterprise |
| <span class="nv">client_secret</span> <span class="o">=</span> oauth_secret_from_github_enterprise |
| <span class="nv">oauth_callback_route</span> <span class="o">=</span> /example/ghe_oauth/callback |
| <span class="nv">allowed_teams</span> <span class="o">=</span> <span class="m">1</span>, <span class="m">345</span>, <span class="m">23</span> |
| </pre></div> |
| </div> |
| <div class="admonition note"> |
| <p class="admonition-title">Note</p> |
| <p>If you do not specify a team whitelist, anyone with a valid account on |
| your GHE installation will be able to login to Airflow.</p> |
| </div> |
| <p>To use GHE authentication, you must install Airflow with the <cite>github_enterprise</cite> extras group:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>pip install <span class="s1">'apache-airflow[github_enterprise]'</span> |
| </pre></div> |
| </div> |
| <div class="section" id="setting-up-ghe-authentication"> |
| <h4>Setting up GHE Authentication<a class="headerlink" href="#setting-up-ghe-authentication" title="Permalink to this headline">¶</a></h4> |
| <p>An application must be setup in GHE before you can use the GHE authentication |
| backend. In order to setup an application:</p> |
| <ol class="arabic simple"> |
| <li><p>Navigate to your GHE profile</p></li> |
| <li><p>Select ‘Applications’ from the left hand nav</p></li> |
| <li><p>Select the ‘Developer Applications’ tab</p></li> |
| <li><p>Click ‘Register new application’</p></li> |
| <li><p>Fill in the required information (the ‘Authorization callback URL’ must be fully qualified e.g. <a class="reference external" href="http://airflow.example.com/example/ghe_oauth/callback">http://airflow.example.com/example/ghe_oauth/callback</a>)</p></li> |
| <li><p>Click ‘Register application’</p></li> |
| <li><p>Copy ‘Client ID’, ‘Client Secret’, and your callback route to your airflow.cfg according to the above example</p></li> |
| </ol> |
| </div> |
| <div class="section" id="using-ghe-authentication-with-github-com"> |
| <h4>Using GHE Authentication with github.com<a class="headerlink" href="#using-ghe-authentication-with-github-com" title="Permalink to this headline">¶</a></h4> |
| <p>It is possible to use GHE authentication with github.com:</p> |
| <ol class="arabic simple"> |
| <li><p><a class="reference external" href="https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/">Create an Oauth App</a></p></li> |
| <li><p>Copy ‘Client ID’, ‘Client Secret’ to your airflow.cfg according to the above example</p></li> |
| <li><p>Set <code class="docutils literal notranslate"><span class="pre">host</span> <span class="pre">=</span> <span class="pre">github.com</span></code> and <code class="docutils literal notranslate"><span class="pre">oauth_callback_route</span> <span class="pre">=</span> <span class="pre">/oauth/callback</span></code> in airflow.cfg</p></li> |
| </ol> |
| </div> |
| </div> |
| <div class="section" id="google-authentication"> |
| <h3>Google Authentication<a class="headerlink" href="#google-authentication" title="Permalink to this headline">¶</a></h3> |
| <p>The Google authentication backend can be used to authenticate users |
| against Google using OAuth2. You must specify the domains to restrict |
| login, separated with a comma, to only members of those domains.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.google_auth |
| |
| <span class="o">[</span>google<span class="o">]</span> |
| <span class="nv">client_id</span> <span class="o">=</span> google_client_id |
| <span class="nv">client_secret</span> <span class="o">=</span> google_client_secret |
| <span class="nv">oauth_callback_route</span> <span class="o">=</span> /oauth2callback |
| <span class="nv">domain</span> <span class="o">=</span> <span class="s2">"example1.com,example2.com"</span> |
| </pre></div> |
| </div> |
| <p>To use Google authentication, you must install Airflow with the <cite>google_auth</cite> extras group:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>pip install <span class="s1">'apache-airflow[google_auth]'</span> |
| </pre></div> |
| </div> |
| <div class="section" id="setting-up-google-authentication"> |
| <h4>Setting up Google Authentication<a class="headerlink" href="#setting-up-google-authentication" title="Permalink to this headline">¶</a></h4> |
| <p>An application must be setup in the Google API Console before you can use the Google authentication |
| backend. In order to setup an application:</p> |
| <ol class="arabic simple"> |
| <li><p>Navigate to <a class="reference external" href="https://console.developers.google.com/apis/">https://console.developers.google.com/apis/</a></p></li> |
| <li><p>Select ‘Credentials’ from the left hand nav</p></li> |
| <li><p>Click ‘Create credentials’ and choose ‘OAuth client ID’</p></li> |
| <li><p>Choose ‘Web application’</p></li> |
| <li><p>Fill in the required information (the ‘Authorized redirect URIs’ must be fully qualified e.g. <a class="reference external" href="http://airflow.example.com/oauth2callback">http://airflow.example.com/oauth2callback</a>)</p></li> |
| <li><p>Click ‘Create’</p></li> |
| <li><p>Copy ‘Client ID’, ‘Client Secret’, and your redirect URI to your airflow.cfg according to the above example</p></li> |
| </ol> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="ssl"> |
| <h2>SSL<a class="headerlink" href="#ssl" title="Permalink to this headline">¶</a></h2> |
| <p>SSL can be enabled by providing a certificate and key. Once enabled, be sure to use |
| “<a class="reference external" href="https://">https://</a>” in your browser.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">web_server_ssl_cert</span> <span class="o">=</span> <path to cert> |
| <span class="nv">web_server_ssl_key</span> <span class="o">=</span> <path to key> |
| </pre></div> |
| </div> |
| <p>Enabling SSL will not automatically change the web server port. If you want to use the |
| standard port 443, you’ll need to configure that too. Be aware that super user privileges |
| (or cap_net_bind_service on Linux) are required to listen on port 443.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># Optionally, set the server to listen on the standard SSL port.</span> |
| <span class="nv">web_server_port</span> <span class="o">=</span> <span class="m">443</span> |
| <span class="nv">base_url</span> <span class="o">=</span> http://<hostname or IP>:443 |
| </pre></div> |
| </div> |
| <p>Enable CeleryExecutor with SSL. Ensure you properly generate client and server |
| certs and keys.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>celery<span class="o">]</span> |
| <span class="nv">ssl_active</span> <span class="o">=</span> True |
| <span class="nv">ssl_key</span> <span class="o">=</span> <path to key> |
| <span class="nv">ssl_cert</span> <span class="o">=</span> <path to cert> |
| <span class="nv">ssl_cacert</span> <span class="o">=</span> <path to cacert> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="impersonation"> |
| <h2>Impersonation<a class="headerlink" href="#impersonation" title="Permalink to this headline">¶</a></h2> |
| <p>Airflow has the ability to impersonate a unix user while running task |
| instances based on the task’s <code class="docutils literal notranslate"><span class="pre">run_as_user</span></code> parameter, which takes a user’s name.</p> |
| <p><strong>NOTE:</strong> For impersonations to work, Airflow must be run with <cite>sudo</cite> as subtasks are run |
| with <cite>sudo -u</cite> and permissions of files are changed. Furthermore, the unix user needs to |
| exist on the worker. Here is what a simple sudoers file entry could look like to achieve |
| this, assuming as airflow is running as the <cite>airflow</cite> user. Note that this means that |
| the airflow user must be trusted and treated the same way as the root user.</p> |
| <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>airflow ALL=(ALL) NOPASSWD: ALL |
| </pre></div> |
| </div> |
| <p>Subtasks with impersonation will still log to the same folder, except that the files they |
| log to will have permissions changed such that only the unix user can write to it.</p> |
| <div class="section" id="default-impersonation"> |
| <h3>Default Impersonation<a class="headerlink" href="#default-impersonation" title="Permalink to this headline">¶</a></h3> |
| <p>To prevent tasks that don’t use impersonation to be run with <cite>sudo</cite> privileges, you can set the |
| <code class="docutils literal notranslate"><span class="pre">core:default_impersonation</span></code> config which sets a default user impersonate if <cite>run_as_user</cite> is |
| not set.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>core<span class="o">]</span> |
| <span class="nv">default_impersonation</span> <span class="o">=</span> airflow |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="flower-authentication"> |
| <h2>Flower Authentication<a class="headerlink" href="#flower-authentication" title="Permalink to this headline">¶</a></h2> |
| <p>Basic authentication for Celery Flower is supported.</p> |
| <p>You can specify the details either as an optional argument in the Flower process launching |
| command, or as a configuration item in your <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>. For both cases, please provide |
| <cite>user:password</cite> pairs separated by a comma.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>airflow flower --basic_auth<span class="o">=</span>user1:password1,user2:password2 |
| </pre></div> |
| </div> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>celery<span class="o">]</span> |
| <span class="nv">flower_basic_auth</span> <span class="o">=</span> user1:password1,user2:password2 |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="rbac-ui-security"> |
| <h2>RBAC UI Security<a class="headerlink" href="#rbac-ui-security" title="Permalink to this headline">¶</a></h2> |
| <p>Security of Airflow Webserver UI when running with <code class="docutils literal notranslate"><span class="pre">rbac=True</span></code> in the config is handled by Flask AppBuilder (FAB). |
| Please read its related <a class="reference external" href="http://flask-appbuilder.readthedocs.io/en/latest/security.html">security document</a> |
| regarding its security model.</p> |
| <div class="section" id="default-roles"> |
| <h3>Default Roles<a class="headerlink" href="#default-roles" title="Permalink to this headline">¶</a></h3> |
| <p>Airflow ships with a set of roles by default: Admin, User, Op, Viewer, and Public. |
| Only <code class="docutils literal notranslate"><span class="pre">Admin</span></code> users could configure/alter the permissions for other roles. But it is not recommended |
| that <code class="docutils literal notranslate"><span class="pre">Admin</span></code> users alter these default roles in any way by removing |
| or adding permissions to these roles.</p> |
| <div class="section" id="admin"> |
| <h4>Admin<a class="headerlink" href="#admin" title="Permalink to this headline">¶</a></h4> |
| <p><code class="docutils literal notranslate"><span class="pre">Admin</span></code> users have all possible permissions, including granting or revoking permissions from |
| other users.</p> |
| </div> |
| <div class="section" id="public"> |
| <h4>Public<a class="headerlink" href="#public" title="Permalink to this headline">¶</a></h4> |
| <p><code class="docutils literal notranslate"><span class="pre">Public</span></code> users (anonymous) don’t have any permissions.</p> |
| </div> |
| <div class="section" id="viewer"> |
| <h4>Viewer<a class="headerlink" href="#viewer" title="Permalink to this headline">¶</a></h4> |
| <p><code class="docutils literal notranslate"><span class="pre">Viewer</span></code> users have limited viewer permissions</p> |
| <div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="n">VIEWER_PERMS</span> <span class="o">=</span> <span class="p">{</span> |
| <span class="s1">'menu_access'</span><span class="p">,</span> |
| <span class="s1">'can_index'</span><span class="p">,</span> |
| <span class="s1">'can_list'</span><span class="p">,</span> |
| <span class="s1">'can_show'</span><span class="p">,</span> |
| <span class="s1">'can_chart'</span><span class="p">,</span> |
| <span class="s1">'can_dag_stats'</span><span class="p">,</span> |
| <span class="s1">'can_dag_details'</span><span class="p">,</span> |
| <span class="s1">'can_task_stats'</span><span class="p">,</span> |
| <span class="s1">'can_code'</span><span class="p">,</span> |
| <span class="s1">'can_log'</span><span class="p">,</span> |
| <span class="s1">'can_get_logs_with_metadata'</span><span class="p">,</span> |
| <span class="s1">'can_tries'</span><span class="p">,</span> |
| <span class="s1">'can_graph'</span><span class="p">,</span> |
| <span class="s1">'can_tree'</span><span class="p">,</span> |
| <span class="s1">'can_task'</span><span class="p">,</span> |
| <span class="s1">'can_task_instances'</span><span class="p">,</span> |
| <span class="s1">'can_xcom'</span><span class="p">,</span> |
| <span class="s1">'can_gantt'</span><span class="p">,</span> |
| <span class="s1">'can_landing_times'</span><span class="p">,</span> |
| <span class="s1">'can_duration'</span><span class="p">,</span> |
| <span class="s1">'can_blocked'</span><span class="p">,</span> |
| <span class="s1">'can_rendered'</span><span class="p">,</span> |
| <span class="s1">'can_pickle_info'</span><span class="p">,</span> |
| <span class="s1">'can_version'</span><span class="p">,</span> |
| <span class="p">}</span> |
| </pre></div> |
| </div> |
| <p>on limited web views</p> |
| <div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="n">VIEWER_VMS</span> <span class="o">=</span> <span class="p">{</span> |
| <span class="s1">'Airflow'</span><span class="p">,</span> |
| <span class="s1">'DagModelView'</span><span class="p">,</span> |
| <span class="s1">'Browse'</span><span class="p">,</span> |
| <span class="s1">'DAG Runs'</span><span class="p">,</span> |
| <span class="s1">'DagRunModelView'</span><span class="p">,</span> |
| <span class="s1">'Task Instances'</span><span class="p">,</span> |
| <span class="s1">'TaskInstanceModelView'</span><span class="p">,</span> |
| <span class="s1">'SLA Misses'</span><span class="p">,</span> |
| <span class="s1">'SlaMissModelView'</span><span class="p">,</span> |
| <span class="s1">'Jobs'</span><span class="p">,</span> |
| <span class="s1">'JobModelView'</span><span class="p">,</span> |
| <span class="s1">'Logs'</span><span class="p">,</span> |
| <span class="s1">'LogModelView'</span><span class="p">,</span> |
| <span class="s1">'Docs'</span><span class="p">,</span> |
| <span class="s1">'Documentation'</span><span class="p">,</span> |
| <span class="s1">'GitHub'</span><span class="p">,</span> |
| <span class="s1">'About'</span><span class="p">,</span> |
| <span class="s1">'Version'</span><span class="p">,</span> |
| <span class="s1">'VersionView'</span><span class="p">,</span> |
| <span class="p">}</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="user"> |
| <h4>User<a class="headerlink" href="#user" title="Permalink to this headline">¶</a></h4> |
| <p><code class="docutils literal notranslate"><span class="pre">User</span></code> users have <code class="docutils literal notranslate"><span class="pre">Viewer</span></code> permissions plus additional user permissions</p> |
| <div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="n">USER_PERMS</span> <span class="o">=</span> <span class="p">{</span> |
| <span class="s1">'can_dagrun_clear'</span><span class="p">,</span> |
| <span class="s1">'can_run'</span><span class="p">,</span> |
| <span class="s1">'can_trigger'</span><span class="p">,</span> |
| <span class="s1">'can_add'</span><span class="p">,</span> |
| <span class="s1">'can_edit'</span><span class="p">,</span> |
| <span class="s1">'can_delete'</span><span class="p">,</span> |
| <span class="s1">'can_paused'</span><span class="p">,</span> |
| <span class="s1">'can_refresh'</span><span class="p">,</span> |
| <span class="s1">'can_success'</span><span class="p">,</span> |
| <span class="s1">'muldelete'</span><span class="p">,</span> |
| <span class="s1">'set_failed'</span><span class="p">,</span> |
| <span class="s1">'set_running'</span><span class="p">,</span> |
| <span class="s1">'set_success'</span><span class="p">,</span> |
| <span class="s1">'clear'</span><span class="p">,</span> |
| <span class="s1">'can_clear'</span><span class="p">,</span> |
| <span class="p">}</span> |
| </pre></div> |
| </div> |
| <p>on User web views which is the same as Viewer web views.</p> |
| </div> |
| <div class="section" id="op"> |
| <h4>Op<a class="headerlink" href="#op" title="Permalink to this headline">¶</a></h4> |
| <p><code class="docutils literal notranslate"><span class="pre">Op</span></code> users have <code class="docutils literal notranslate"><span class="pre">User</span></code> permissions plus additional op permissions</p> |
| <div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="n">OP_PERMS</span> <span class="o">=</span> <span class="p">{</span> |
| <span class="s1">'can_conf'</span><span class="p">,</span> |
| <span class="s1">'can_varimport'</span><span class="p">,</span> |
| <span class="p">}</span> |
| </pre></div> |
| </div> |
| <p>on <code class="docutils literal notranslate"><span class="pre">User</span></code> web views plus these additional op web views</p> |
| <div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="n">OP_VMS</span> <span class="o">=</span> <span class="p">{</span> |
| <span class="s1">'Admin'</span><span class="p">,</span> |
| <span class="s1">'Configurations'</span><span class="p">,</span> |
| <span class="s1">'ConfigurationView'</span><span class="p">,</span> |
| <span class="s1">'Connections'</span><span class="p">,</span> |
| <span class="s1">'ConnectionModelView'</span><span class="p">,</span> |
| <span class="s1">'Pools'</span><span class="p">,</span> |
| <span class="s1">'PoolModelView'</span><span class="p">,</span> |
| <span class="s1">'Variables'</span><span class="p">,</span> |
| <span class="s1">'VariableModelView'</span><span class="p">,</span> |
| <span class="s1">'XComs'</span><span class="p">,</span> |
| <span class="s1">'XComModelView'</span><span class="p">,</span> |
| <span class="p">}</span> |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="custom-roles"> |
| <h3>Custom Roles<a class="headerlink" href="#custom-roles" title="Permalink to this headline">¶</a></h3> |
| <div class="section" id="dag-level-role"> |
| <h4>DAG Level Role<a class="headerlink" href="#dag-level-role" title="Permalink to this headline">¶</a></h4> |
| <p><code class="docutils literal notranslate"><span class="pre">Admin</span></code> can create a set of roles which are only allowed to view a certain set of dags. This is called DAG level access. Each dag defined in the dag model table |
| is treated as a <code class="docutils literal notranslate"><span class="pre">View</span></code> which has two permissions associated with it (<code class="docutils literal notranslate"><span class="pre">can_dag_read</span></code> and <code class="docutils literal notranslate"><span class="pre">can_dag_edit</span></code>). There is a special view called <code class="docutils literal notranslate"><span class="pre">all_dags</span></code> which |
| allows the role to access all the dags. The default <code class="docutils literal notranslate"><span class="pre">Admin</span></code>, <code class="docutils literal notranslate"><span class="pre">Viewer</span></code>, <code class="docutils literal notranslate"><span class="pre">User</span></code>, <code class="docutils literal notranslate"><span class="pre">Op</span></code> roles can all access <code class="docutils literal notranslate"><span class="pre">all_dags</span></code> view.</p> |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| |
| </div> |
| |
| </div> |
| <footer> |
| |
| <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation"> |
| |
| <a href="timezone.html" class="btn btn-neutral float-right" title="Time zones" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a> |
| |
| |
| <a href="plugins.html" class="btn btn-neutral float-left" title="Plugins" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a> |
| |
| </div> |
| |
| |
| <hr/> |
| |
| <div role="contentinfo"> |
| <p> |
| |
| </p> |
| </div> |
| Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. |
| |
| </footer> |
| |
| </div> |
| </div> |
| |
| </section> |
| |
| </div> |
| |
| |
| |
| <script type="text/javascript"> |
| jQuery(function () { |
| SphinxRtdTheme.Navigation.enable(true); |
| }); |
| </script> |
| |
| |
| |
| |
| |
| |
| </body> |
| </html> |