| |
| |
| <!DOCTYPE html> |
| <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> |
| <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <title>Security — Airflow Documentation</title> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <link rel="stylesheet" href="_static/css/theme.css" type="text/css" /> |
| <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> |
| <link rel="index" title="Index" href="genindex.html" /> |
| <link rel="search" title="Search" href="search.html" /> |
| <link rel="next" title="Time zones" href="timezone.html" /> |
| <link rel="prev" title="Plugins" href="plugins.html" /> |
| |
| |
| <script src="_static/js/modernizr.min.js"></script> |
| |
| </head> |
| |
| <body class="wy-body-for-nav"> |
| |
| |
| <div class="wy-grid-for-nav"> |
| |
| |
| <nav data-toggle="wy-nav-shift" class="wy-nav-side"> |
| <div class="wy-side-scroll"> |
| <div class="wy-side-nav-search"> |
| |
| |
| |
| <a href="index.html" class="icon icon-home"> Airflow |
| |
| |
| |
| </a> |
| |
| |
| |
| |
| <div class="version"> |
| 1.10.2 |
| </div> |
| |
| |
| |
| |
| <div role="search"> |
| <form id="rtd-search-form" class="wy-form" action="search.html" method="get"> |
| <input type="text" name="q" placeholder="Search docs" /> |
| <input type="hidden" name="check_keywords" value="yes" /> |
| <input type="hidden" name="area" value="default" /> |
| </form> |
| </div> |
| |
| |
| </div> |
| |
| <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> |
| |
| |
| |
| |
| |
| |
| <ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="project.html">Project</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="license.html">License</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="start.html">Quick Start</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="installation.html">Installation</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="tutorial.html">Tutorial</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="howto/index.html">How-to Guides</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="ui.html">UI / Screenshots</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="concepts.html">Concepts</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="profiling.html">Data Profiling</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="cli.html">Command Line Interface</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="scheduler.html">Scheduling & Triggers</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="plugins.html">Plugins</a></li> |
| <li class="toctree-l1 current"><a class="current reference internal" href="#">Security</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="#web-authentication">Web Authentication</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#password">Password</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#ldap">LDAP</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#roll-your-own">Roll your own</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#multi-tenancy">Multi-tenancy</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#kerberos">Kerberos</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#limitations">Limitations</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#enabling-kerberos">Enabling kerberos</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#airflow">Airflow</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#hadoop">Hadoop</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#using-kerberos-authentication">Using kerberos authentication</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#oauth-authentication">OAuth Authentication</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#github-enterprise-ghe-authentication">GitHub Enterprise (GHE) Authentication</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#setting-up-ghe-authentication">Setting up GHE Authentication</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#using-ghe-authentication-with-github-com">Using GHE Authentication with github.com</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="#google-authentication">Google Authentication</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#setting-up-google-authentication">Setting up Google Authentication</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#ssl">SSL</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#impersonation">Impersonation</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#default-impersonation">Default Impersonation</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#flower-authentication">Flower Authentication</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="timezone.html">Time zones</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="api.html">Experimental Rest API</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="integration.html">Integration</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="metrics.html">Metrics</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="kubernetes.html">Kubernetes</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="lineage.html">Lineage</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="changelog.html">Changelog</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="faq.html">FAQ</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="code.html">API Reference</a></li> |
| </ul> |
| |
| |
| |
| </div> |
| </div> |
| </nav> |
| |
| <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> |
| |
| |
| <nav class="wy-nav-top" aria-label="top navigation"> |
| |
| <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| <a href="index.html">Airflow</a> |
| |
| </nav> |
| |
| |
| <div class="wy-nav-content"> |
| |
| <div class="rst-content"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <div role="navigation" aria-label="breadcrumbs navigation"> |
| |
| <ul class="wy-breadcrumbs"> |
| |
| <li><a href="index.html">Docs</a> »</li> |
| |
| <li>Security</li> |
| |
| |
| <li class="wy-breadcrumbs-aside"> |
| |
| |
| <a href="_sources/security.rst.txt" rel="nofollow"> View page source</a> |
| |
| |
| </li> |
| |
| </ul> |
| |
| |
| <hr/> |
| </div> |
| <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> |
| <div itemprop="articleBody"> |
| |
| <div class="section" id="security"> |
| <h1>Security<a class="headerlink" href="#security" title="Permalink to this headline">¶</a></h1> |
| <p>By default, all gates are opened. An easy way to restrict access |
| to the web application is to do it at the network level, or by using |
| SSH tunnels.</p> |
| <p>It is however possible to switch on authentication by either using one of the supplied |
| backends or creating your own.</p> |
| <p>Be sure to checkout <a class="reference internal" href="api.html"><span class="doc">Experimental Rest API</span></a> for securing the API.</p> |
| <div class="admonition note"> |
| <p class="first admonition-title">Note</p> |
| <p class="last">Airflow uses the config parser of Python. This config parser interpolates |
| ‘%’-signs. Make sure escape any <code class="docutils literal notranslate"><span class="pre">%</span></code> signs in your config file (but not |
| environment variables) as <code class="docutils literal notranslate"><span class="pre">%%</span></code>, otherwise Airflow might leak these |
| passwords on a config parser exception to a log.</p> |
| </div> |
| <div class="section" id="web-authentication"> |
| <h2>Web Authentication<a class="headerlink" href="#web-authentication" title="Permalink to this headline">¶</a></h2> |
| <div class="section" id="password"> |
| <h3>Password<a class="headerlink" href="#password" title="Permalink to this headline">¶</a></h3> |
| <div class="admonition note"> |
| <p class="first admonition-title">Note</p> |
| <p class="last">This is for flask-admin based web UI only. If you are using FAB-based web UI with RBAC feature, |
| please use command line interface <code class="docutils literal notranslate"><span class="pre">create_user</span></code> to create accounts, or do that in the FAB-based UI itself.</p> |
| </div> |
| <p>One of the simplest mechanisms for authentication is requiring users to specify a password before logging in. |
| Password authentication requires the used of the <code class="docutils literal notranslate"><span class="pre">password</span></code> subpackage in your requirements file. Password hashing |
| uses <code class="docutils literal notranslate"><span class="pre">bcrypt</span></code> before storing passwords.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.password_auth |
| </pre></div> |
| </div> |
| <p>When password auth is enabled, an initial user credential will need to be created before anyone can login. An initial |
| user was not created in the migrations for this authentication backend to prevent default Airflow installations from |
| attack. Creating a new user has to be done via a Python REPL on the same machine Airflow is installed.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># navigate to the airflow installation directory</span> |
| $ <span class="nb">cd</span> ~/airflow |
| $ python |
| Python <span class="m">2</span>.7.9 <span class="o">(</span>default, Feb <span class="m">10</span> <span class="m">2015</span>, <span class="m">03</span>:28:08<span class="o">)</span> |
| Type <span class="s2">"help"</span>, <span class="s2">"copyright"</span>, <span class="s2">"credits"</span> or <span class="s2">"license"</span> <span class="k">for</span> more information. |
| >>> import airflow |
| >>> from airflow import models, settings |
| >>> from airflow.contrib.auth.backends.password_auth import PasswordUser |
| >>> <span class="nv">user</span> <span class="o">=</span> PasswordUser<span class="o">(</span>models.User<span class="o">())</span> |
| >>> user.username <span class="o">=</span> <span class="s1">'new_user_name'</span> |
| >>> user.email <span class="o">=</span> <span class="s1">'new_user_email@example.com'</span> |
| >>> user.password <span class="o">=</span> <span class="s1">'set_the_password'</span> |
| >>> <span class="nv">session</span> <span class="o">=</span> settings.Session<span class="o">()</span> |
| >>> session.add<span class="o">(</span>user<span class="o">)</span> |
| >>> session.commit<span class="o">()</span> |
| >>> session.close<span class="o">()</span> |
| >>> exit<span class="o">()</span> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="ldap"> |
| <h3>LDAP<a class="headerlink" href="#ldap" title="Permalink to this headline">¶</a></h3> |
| <p>To turn on LDAP authentication configure your <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> as follows. Please note that the example uses |
| an encrypted connection to the ldap server as we do not want passwords be readable on the network level.</p> |
| <p>Additionally, if you are using Active Directory, and are not explicitly specifying an OU that your users are in, |
| you will need to change <code class="docutils literal notranslate"><span class="pre">search_scope</span></code> to “SUBTREE”.</p> |
| <p>Valid search_scope options can be found in the <a class="reference external" href="http://ldap3.readthedocs.org/searches.html?highlight=search_scope">ldap3 Documentation</a></p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.ldap_auth |
| |
| <span class="o">[</span>ldap<span class="o">]</span> |
| <span class="c1"># set a connection without encryption: uri = ldap://<your.ldap.server>:<port></span> |
| <span class="nv">uri</span> <span class="o">=</span> ldaps://<your.ldap.server>:<port> |
| <span class="nv">user_filter</span> <span class="o">=</span> <span class="nv">objectClass</span><span class="o">=</span>* |
| <span class="c1"># in case of Active Directory you would use: user_name_attr = sAMAccountName</span> |
| <span class="nv">user_name_attr</span> <span class="o">=</span> uid |
| <span class="c1"># group_member_attr should be set accordingly with *_filter</span> |
| <span class="c1"># eg :</span> |
| <span class="c1"># group_member_attr = groupMembership</span> |
| <span class="c1"># superuser_filter = groupMembership=CN=airflow-super-users...</span> |
| <span class="nv">group_member_attr</span> <span class="o">=</span> memberOf |
| <span class="nv">superuser_filter</span> <span class="o">=</span> <span class="nv">memberOf</span><span class="o">=</span><span class="nv">CN</span><span class="o">=</span>airflow-super-users,OU<span class="o">=</span>Groups,OU<span class="o">=</span>RWC,OU<span class="o">=</span>US,OU<span class="o">=</span>NORAM,DC<span class="o">=</span>example,DC<span class="o">=</span>com |
| <span class="nv">data_profiler_filter</span> <span class="o">=</span> <span class="nv">memberOf</span><span class="o">=</span><span class="nv">CN</span><span class="o">=</span>airflow-data-profilers,OU<span class="o">=</span>Groups,OU<span class="o">=</span>RWC,OU<span class="o">=</span>US,OU<span class="o">=</span>NORAM,DC<span class="o">=</span>example,DC<span class="o">=</span>com |
| <span class="nv">bind_user</span> <span class="o">=</span> <span class="nv">cn</span><span class="o">=</span>Manager,dc<span class="o">=</span>example,dc<span class="o">=</span>com |
| <span class="nv">bind_password</span> <span class="o">=</span> insecure |
| <span class="nv">basedn</span> <span class="o">=</span> <span class="nv">dc</span><span class="o">=</span>example,dc<span class="o">=</span>com |
| <span class="nv">cacert</span> <span class="o">=</span> /etc/ca/ldap_ca.crt |
| <span class="c1"># Set search_scope to one of them: BASE, LEVEL , SUBTREE</span> |
| <span class="c1"># Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit</span> |
| <span class="nv">search_scope</span> <span class="o">=</span> LEVEL |
| </pre></div> |
| </div> |
| <p>The superuser_filter and data_profiler_filter are optional. If defined, these configurations allow you to specify LDAP groups that users must belong to in order to have superuser (admin) and data-profiler permissions. If undefined, all users will be superusers and data profilers.</p> |
| </div> |
| <div class="section" id="roll-your-own"> |
| <h3>Roll your own<a class="headerlink" href="#roll-your-own" title="Permalink to this headline">¶</a></h3> |
| <p>Airflow uses <code class="docutils literal notranslate"><span class="pre">flask_login</span></code> and |
| exposes a set of hooks in the <code class="docutils literal notranslate"><span class="pre">airflow.default_login</span></code> module. You can |
| alter the content and make it part of the <code class="docutils literal notranslate"><span class="pre">PYTHONPATH</span></code> and configure it as a backend in <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> mypackage.auth |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="multi-tenancy"> |
| <h2>Multi-tenancy<a class="headerlink" href="#multi-tenancy" title="Permalink to this headline">¶</a></h2> |
| <p>You can filter the list of dags in webserver by owner name when authentication |
| is turned on by setting <code class="docutils literal notranslate"><span class="pre">webserver:filter_by_owner</span></code> in your config. With this, a user will see |
| only the dags which it is owner of, unless it is a superuser.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">filter_by_owner</span> <span class="o">=</span> True |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="kerberos"> |
| <h2>Kerberos<a class="headerlink" href="#kerberos" title="Permalink to this headline">¶</a></h2> |
| <p>Airflow has initial support for Kerberos. This means that airflow can renew kerberos |
| tickets for itself and store it in the ticket cache. The hooks and dags can make use of ticket |
| to authenticate against kerberized services.</p> |
| <div class="section" id="limitations"> |
| <h3>Limitations<a class="headerlink" href="#limitations" title="Permalink to this headline">¶</a></h3> |
| <p>Please note that at this time, not all hooks have been adjusted to make use of this functionality. |
| Also it does not integrate kerberos into the web interface and you will have to rely on network |
| level security for now to make sure your service remains secure.</p> |
| <p>Celery integration has not been tried and tested yet. However, if you generate a key tab for every |
| host and launch a ticket renewer next to every worker it will most likely work.</p> |
| </div> |
| <div class="section" id="enabling-kerberos"> |
| <h3>Enabling kerberos<a class="headerlink" href="#enabling-kerberos" title="Permalink to this headline">¶</a></h3> |
| <div class="section" id="airflow"> |
| <h4>Airflow<a class="headerlink" href="#airflow" title="Permalink to this headline">¶</a></h4> |
| <p>To enable kerberos you will need to generate a (service) key tab.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># in the kadmin.local or kadmin shell, create the airflow principal</span> |
| kadmin: addprinc -randkey airflow/fully.qualified.domain.name@YOUR-REALM.COM |
| |
| <span class="c1"># Create the airflow keytab file that will contain the airflow principal</span> |
| kadmin: xst -norandkey -k airflow.keytab airflow/fully.qualified.domain.name |
| </pre></div> |
| </div> |
| <p>Now store this file in a location where the airflow user can read it (chmod 600). And then add the following to |
| your <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code></p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>core<span class="o">]</span> |
| <span class="nv">security</span> <span class="o">=</span> kerberos |
| |
| <span class="o">[</span>kerberos<span class="o">]</span> |
| <span class="nv">keytab</span> <span class="o">=</span> /etc/airflow/airflow.keytab |
| <span class="nv">reinit_frequency</span> <span class="o">=</span> <span class="m">3600</span> |
| <span class="nv">principal</span> <span class="o">=</span> airflow |
| </pre></div> |
| </div> |
| <p>Launch the ticket renewer by</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># run ticket renewer</span> |
| airflow kerberos |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="hadoop"> |
| <h4>Hadoop<a class="headerlink" href="#hadoop" title="Permalink to this headline">¶</a></h4> |
| <p>If want to use impersonation this needs to be enabled in <code class="docutils literal notranslate"><span class="pre">core-site.xml</span></code> of your hadoop config.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><property> |
| <name>hadoop.proxyuser.airflow.groups</name> |
| <value>*</value> |
| </property> |
| |
| <property> |
| <name>hadoop.proxyuser.airflow.users</name> |
| <value>*</value> |
| </property> |
| |
| <property> |
| <name>hadoop.proxyuser.airflow.hosts</name> |
| <value>*</value> |
| </property> |
| </pre></div> |
| </div> |
| <p>Of course if you need to tighten your security replace the asterisk with something more appropriate.</p> |
| </div> |
| </div> |
| <div class="section" id="using-kerberos-authentication"> |
| <h3>Using kerberos authentication<a class="headerlink" href="#using-kerberos-authentication" title="Permalink to this headline">¶</a></h3> |
| <p>The hive hook has been updated to take advantage of kerberos authentication. To allow your DAGs to |
| use it, simply update the connection details with, for example:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">{</span> <span class="s2">"use_beeline"</span>: true, <span class="s2">"principal"</span>: <span class="s2">"hive/_HOST@EXAMPLE.COM"</span><span class="o">}</span> |
| </pre></div> |
| </div> |
| <p>Adjust the principal to your settings. The _HOST part will be replaced by the fully qualified domain name of |
| the server.</p> |
| <p>You can specify if you would like to use the dag owner as the user for the connection or the user specified in the login |
| section of the connection. For the login user, specify the following as extra:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">{</span> <span class="s2">"use_beeline"</span>: true, <span class="s2">"principal"</span>: <span class="s2">"hive/_HOST@EXAMPLE.COM"</span>, <span class="s2">"proxy_user"</span>: <span class="s2">"login"</span><span class="o">}</span> |
| </pre></div> |
| </div> |
| <p>For the DAG owner use:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">{</span> <span class="s2">"use_beeline"</span>: true, <span class="s2">"principal"</span>: <span class="s2">"hive/_HOST@EXAMPLE.COM"</span>, <span class="s2">"proxy_user"</span>: <span class="s2">"owner"</span><span class="o">}</span> |
| </pre></div> |
| </div> |
| <p>and in your DAG, when initializing the HiveOperator, specify:</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="nv">run_as_owner</span><span class="o">=</span>True |
| </pre></div> |
| </div> |
| <p>To use kerberos authentication, you must install Airflow with the <cite>kerberos</cite> extras group:</p> |
| <div class="highlight-base notranslate"><div class="highlight"><pre><span></span>pip install airflow[kerberos] |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="oauth-authentication"> |
| <h2>OAuth Authentication<a class="headerlink" href="#oauth-authentication" title="Permalink to this headline">¶</a></h2> |
| <div class="section" id="github-enterprise-ghe-authentication"> |
| <h3>GitHub Enterprise (GHE) Authentication<a class="headerlink" href="#github-enterprise-ghe-authentication" title="Permalink to this headline">¶</a></h3> |
| <p>The GitHub Enterprise authentication backend can be used to authenticate users |
| against an installation of GitHub Enterprise using OAuth2. You can optionally |
| specify a team whitelist (composed of slug cased team names) to restrict login |
| to only members of those teams.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.github_enterprise_auth |
| |
| <span class="o">[</span>github_enterprise<span class="o">]</span> |
| <span class="nv">host</span> <span class="o">=</span> github.example.com |
| <span class="nv">client_id</span> <span class="o">=</span> oauth_key_from_github_enterprise |
| <span class="nv">client_secret</span> <span class="o">=</span> oauth_secret_from_github_enterprise |
| <span class="nv">oauth_callback_route</span> <span class="o">=</span> /example/ghe_oauth/callback |
| <span class="nv">allowed_teams</span> <span class="o">=</span> <span class="m">1</span>, <span class="m">345</span>, <span class="m">23</span> |
| </pre></div> |
| </div> |
| <div class="admonition note"> |
| <p class="first admonition-title">Note</p> |
| <p class="last">If you do not specify a team whitelist, anyone with a valid account on |
| your GHE installation will be able to login to Airflow.</p> |
| </div> |
| <p>To use GHE authentication, you must install Airflow with the <cite>github_enterprise</cite> extras group:</p> |
| <div class="highlight-base notranslate"><div class="highlight"><pre><span></span>pip install airflow[github_enterprise] |
| </pre></div> |
| </div> |
| <div class="section" id="setting-up-ghe-authentication"> |
| <h4>Setting up GHE Authentication<a class="headerlink" href="#setting-up-ghe-authentication" title="Permalink to this headline">¶</a></h4> |
| <p>An application must be setup in GHE before you can use the GHE authentication |
| backend. In order to setup an application:</p> |
| <ol class="arabic simple"> |
| <li>Navigate to your GHE profile</li> |
| <li>Select ‘Applications’ from the left hand nav</li> |
| <li>Select the ‘Developer Applications’ tab</li> |
| <li>Click ‘Register new application’</li> |
| <li>Fill in the required information (the ‘Authorization callback URL’ must be fully qualified e.g. <a class="reference external" href="http://airflow.example.com/example/ghe_oauth/callback">http://airflow.example.com/example/ghe_oauth/callback</a>)</li> |
| <li>Click ‘Register application’</li> |
| <li>Copy ‘Client ID’, ‘Client Secret’, and your callback route to your airflow.cfg according to the above example</li> |
| </ol> |
| </div> |
| <div class="section" id="using-ghe-authentication-with-github-com"> |
| <h4>Using GHE Authentication with github.com<a class="headerlink" href="#using-ghe-authentication-with-github-com" title="Permalink to this headline">¶</a></h4> |
| <p>It is possible to use GHE authentication with github.com:</p> |
| <ol class="arabic simple"> |
| <li><a class="reference external" href="https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/">Create an Oauth App</a></li> |
| <li>Copy ‘Client ID’, ‘Client Secret’ to your airflow.cfg according to the above example</li> |
| <li>Set <code class="docutils literal notranslate"><span class="pre">host</span> <span class="pre">=</span> <span class="pre">github.com</span></code> and <code class="docutils literal notranslate"><span class="pre">oauth_callback_route</span> <span class="pre">=</span> <span class="pre">/oauth/callback</span></code> in airflow.cfg</li> |
| </ol> |
| </div> |
| </div> |
| <div class="section" id="google-authentication"> |
| <h3>Google Authentication<a class="headerlink" href="#google-authentication" title="Permalink to this headline">¶</a></h3> |
| <p>The Google authentication backend can be used to authenticate users |
| against Google using OAuth2. You must specify the domains to restrict |
| login, separated with a comma, to only members of those domains.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">authenticate</span> <span class="o">=</span> True |
| <span class="nv">auth_backend</span> <span class="o">=</span> airflow.contrib.auth.backends.google_auth |
| |
| <span class="o">[</span>google<span class="o">]</span> |
| <span class="nv">client_id</span> <span class="o">=</span> google_client_id |
| <span class="nv">client_secret</span> <span class="o">=</span> google_client_secret |
| <span class="nv">oauth_callback_route</span> <span class="o">=</span> /oauth2callback |
| <span class="nv">domain</span> <span class="o">=</span> <span class="s2">"example1.com,example2.com"</span> |
| </pre></div> |
| </div> |
| <p>To use Google authentication, you must install Airflow with the <cite>google_auth</cite> extras group:</p> |
| <div class="highlight-base notranslate"><div class="highlight"><pre><span></span>pip install airflow[google_auth] |
| </pre></div> |
| </div> |
| <div class="section" id="setting-up-google-authentication"> |
| <h4>Setting up Google Authentication<a class="headerlink" href="#setting-up-google-authentication" title="Permalink to this headline">¶</a></h4> |
| <p>An application must be setup in the Google API Console before you can use the Google authentication |
| backend. In order to setup an application:</p> |
| <ol class="arabic simple"> |
| <li>Navigate to <a class="reference external" href="https://console.developers.google.com/apis/">https://console.developers.google.com/apis/</a></li> |
| <li>Select ‘Credentials’ from the left hand nav</li> |
| <li>Click ‘Create credentials’ and choose ‘OAuth client ID’</li> |
| <li>Choose ‘Web application’</li> |
| <li>Fill in the required information (the ‘Authorized redirect URIs’ must be fully qualified e.g. <a class="reference external" href="http://airflow.example.com/oauth2callback">http://airflow.example.com/oauth2callback</a>)</li> |
| <li>Click ‘Create’</li> |
| <li>Copy ‘Client ID’, ‘Client Secret’, and your redirect URI to your airflow.cfg according to the above example</li> |
| </ol> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="ssl"> |
| <h2>SSL<a class="headerlink" href="#ssl" title="Permalink to this headline">¶</a></h2> |
| <p>SSL can be enabled by providing a certificate and key. Once enabled, be sure to use |
| “<a class="reference external" href="https://">https://</a>” in your browser.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>webserver<span class="o">]</span> |
| <span class="nv">web_server_ssl_cert</span> <span class="o">=</span> <path to cert> |
| <span class="nv">web_server_ssl_key</span> <span class="o">=</span> <path to key> |
| </pre></div> |
| </div> |
| <p>Enabling SSL will not automatically change the web server port. If you want to use the |
| standard port 443, you’ll need to configure that too. Be aware that super user privileges |
| (or cap_net_bind_service on Linux) are required to listen on port 443.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># Optionally, set the server to listen on the standard SSL port.</span> |
| <span class="nv">web_server_port</span> <span class="o">=</span> <span class="m">443</span> |
| <span class="nv">base_url</span> <span class="o">=</span> http://<hostname or IP>:443 |
| </pre></div> |
| </div> |
| <p>Enable CeleryExecutor with SSL. Ensure you properly generate client and server |
| certs and keys.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>celery<span class="o">]</span> |
| <span class="nv">ssl_active</span> <span class="o">=</span> True |
| <span class="nv">ssl_key</span> <span class="o">=</span> <path to key> |
| <span class="nv">ssl_cert</span> <span class="o">=</span> <path to cert> |
| <span class="nv">ssl_cacert</span> <span class="o">=</span> <path to cacert> |
| </pre></div> |
| </div> |
| </div> |
| <div class="section" id="impersonation"> |
| <h2>Impersonation<a class="headerlink" href="#impersonation" title="Permalink to this headline">¶</a></h2> |
| <p>Airflow has the ability to impersonate a unix user while running task |
| instances based on the task’s <code class="docutils literal notranslate"><span class="pre">run_as_user</span></code> parameter, which takes a user’s name.</p> |
| <p><strong>NOTE:</strong> For impersonations to work, Airflow must be run with <cite>sudo</cite> as subtasks are run |
| with <cite>sudo -u</cite> and permissions of files are changed. Furthermore, the unix user needs to |
| exist on the worker. Here is what a simple sudoers file entry could look like to achieve |
| this, assuming as airflow is running as the <cite>airflow</cite> user. Note that this means that |
| the airflow user must be trusted and treated the same way as the root user.</p> |
| <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>airflow ALL=(ALL) NOPASSWD: ALL |
| </pre></div> |
| </div> |
| <p>Subtasks with impersonation will still log to the same folder, except that the files they |
| log to will have permissions changed such that only the unix user can write to it.</p> |
| <div class="section" id="default-impersonation"> |
| <h3>Default Impersonation<a class="headerlink" href="#default-impersonation" title="Permalink to this headline">¶</a></h3> |
| <p>To prevent tasks that don’t use impersonation to be run with <cite>sudo</cite> privileges, you can set the |
| <code class="docutils literal notranslate"><span class="pre">core:default_impersonation</span></code> config which sets a default user impersonate if <cite>run_as_user</cite> is |
| not set.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>core<span class="o">]</span> |
| <span class="nv">default_impersonation</span> <span class="o">=</span> airflow |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| <div class="section" id="flower-authentication"> |
| <h2>Flower Authentication<a class="headerlink" href="#flower-authentication" title="Permalink to this headline">¶</a></h2> |
| <p>Basic authentication for Celery Flower is supported.</p> |
| <p>You can specify the details either as an optional argument in the Flower process launching |
| command, or as a configuration item in your <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>. For both cases, please provide |
| <cite>user:password</cite> pairs separated by a comma.</p> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>airflow flower --basic_auth<span class="o">=</span>user1:password1,user2:password2 |
| </pre></div> |
| </div> |
| <div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="o">[</span>celery<span class="o">]</span> |
| <span class="nv">flower_basic_auth</span> <span class="o">=</span> user1:password1,user2:password2 |
| </pre></div> |
| </div> |
| </div> |
| </div> |
| |
| |
| </div> |
| |
| </div> |
| <footer> |
| |
| <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation"> |
| |
| <a href="timezone.html" class="btn btn-neutral float-right" title="Time zones" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a> |
| |
| |
| <a href="plugins.html" class="btn btn-neutral" title="Plugins" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a> |
| |
| </div> |
| |
| |
| <hr/> |
| |
| <div role="contentinfo"> |
| <p> |
| |
| </p> |
| </div> |
| Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. |
| |
| </footer> |
| |
| </div> |
| </div> |
| |
| </section> |
| |
| </div> |
| |
| |
| |
| |
| |
| |
| |
| <script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script> |
| <script type="text/javascript" src="_static/jquery.js"></script> |
| <script type="text/javascript" src="_static/underscore.js"></script> |
| <script type="text/javascript" src="_static/doctools.js"></script> |
| <script type="text/javascript" src="_static/language_data.js"></script> |
| |
| |
| |
| |
| <script type="text/javascript" src="_static/js/theme.js"></script> |
| |
| <script type="text/javascript"> |
| jQuery(function () { |
| SphinxRtdTheme.Navigation.enable(true); |
| }); |
| </script> |
| |
| </body> |
| </html> |