Google Git
Sign in
apache / airflow-site / f7689e56856a989d8bb9f316d2e95fc25cbe24d7 / . / docs-archive / apache-airflow / 2.0.0 / apache-airflow / stable / _sources / security / webserver.rst.txt
blob: 93c18248f3a86563facfeed69d74073caa700ed0 [file] [log] [blame]
.. Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
.. http://www.apache.org/licenses/LICENSE-2.0
.. Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
Webserver
=========
This topic describes how to configure Airflow to secure your webserver.
.. contents::
:depth: 1
:local:
Rendering Airflow UI in a Web Frame from another site
------------------------------------------------------
Using Airflow in a web frame is enabled by default. To disable this (and prevent click jacking attacks)
set the below:
.. code-block:: ini
[webserver]
x_frame_enabled = False
Sensitive Variable fields
-------------------------
By default, Airflow Value of a variable will be hidden if the key contains any words in
(‘password’, ‘secret’, ‘passwd’, ‘authorization’, ‘api_key’, ‘apikey’, ‘access_token’), but can be configured
to extend this list by using the following configurations option:
.. code-block:: ini
[admin]
hide_sensitive_variable_fields = comma_separated_sensitive_variable_fields_list
Web Authentication
------------------
By default, Airflow requires users to specify a password prior to login. You can use the
following CLI commands to create an account:
.. code-block:: bash
# create an admin user
airflow users create \
--username admin \
--firstname Peter \
--lastname Parker \
--role Admin \
--email spiderman@superhero.org
It is however possible to switch on authentication by either using one of the supplied
backends or creating your own.
Be sure to checkout :doc:`/rest-api-ref` for securing the API.
.. note::
Airflow uses the config parser of Python. This config parser interpolates
'%'-signs. Make sure escape any ``%`` signs in your config file (but not
environment variables) as ``%%``, otherwise Airflow might leak these
passwords on a config parser exception to a log.
Password
''''''''
One of the simplest mechanisms for authentication is requiring users to specify a password before logging in.
Please use command line interface ``airflow users create`` to create accounts, or do that in the UI.
Other Methods
'''''''''''''
Standing on the shoulder of underlying framework Flask-AppBuilder, Airflow also supports authentication methods like
OAuth, OpenID, LDAP, REMOTE_USER. You can configure in ``$AIRFLOW_HOME/webserver_config.py``.
For details, please refer to
`Security section of FAB documentation <https://flask-appbuilder.readthedocs.io/en/latest/security.html>`_.
SSL
---
SSL can be enabled by providing a certificate and key. Once enabled, be sure to use
"https://" in your browser.
.. code-block:: ini
[webserver]
web_server_ssl_cert = <path to cert>
web_server_ssl_key = <path to key>
Enabling SSL will not automatically change the web server port. If you want to use the
standard port 443, you'll need to configure that too. Be aware that super user privileges
(or cap_net_bind_service on Linux) are required to listen on port 443.
.. code-block:: ini
# Optionally, set the server to listen on the standard SSL port.
web_server_port = 443
base_url = http://<hostname or IP>:443
Enable CeleryExecutor with SSL. Ensure you properly generate client and server
certs and keys.
.. code-block:: ini
[celery]
ssl_active = True
ssl_key = <path to key>
ssl_cert = <path to cert>
ssl_cacert = <path to cacert>