Security

The Airflow security model covers authentication, authorization, and secrets management. This guide explains how to configure each component safely.

Authentication

Airflow supports multiple authentication backends. Choose one that aligns with your organization’s identity provider.

Supported Backends

Password (Flask‑AppBuilder) – Simple username/password stored in the metadata DB.
Google OAuth – Uses Google accounts for SSO.
GitHub OAuth – Enables login via GitHub.
LDAP – Connects to an existing LDAP directory.
Kerberos – For environments using Kerberos tickets.
Remote User Authentication – Delegates authentication to a reverse proxy (e.g., Nginx).

Configuration Example

# airflow.cfg
[webserver]
authenticate = True
auth_backend = airflow.providers.google.common.auth_backend
# For LDAP, set auth_backend = airflow.providers.ldap.auth_backend

Authorization

Authorization in Airflow controls which users can view or manipulate DAGs, tasks, and connections.

Roles & Permissions

Roles are defined in the Flask‑AppBuilder security model. Default roles include:

Admin – Full access.
User – Can view DAGs and trigger runs.
Op – Can edit DAGs and connections.
Viewer – Read‑only access.

Customizing Roles

# Example: adding a custom role via CLI
airflow roles add DataScientist
airflow roles add-perm DataScientist can_read DAG
airflow users create \
  --username ds_user \
  --firstname "Data" \
  --lastname "Scientist" \
  --role DataScientist \
  --email ds@example.com

Secrets Backend

Airflow can retrieve connection passwords and variables from external secret stores.

Supported Backends

HashiCorp Vault
AWS Secrets Manager
Azure Key Vault
Google Secret Manager
Environment Variables (default)

Enable a Secrets Backend

# airflow.cfg
[secrets]
backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
backend_kwargs = {"connections_path": "secret/data/airflow/conns"}

Kerberos

Integrate Airflow with a Kerberos realm for ticket‑based authentication.

Prerequisites

KDC and realm are correctly configured.
Keytab file accessible to the Airflow webserver.

Configuration

# airflow.cfg
[webserver]
auth_backend = airflow.providers.kerberos.auth_backend
[kerberos]
keytab = /etc/airflow/airflow.keytab
principal = airflow/host.example.com@EXAMPLE.COM

LDAP

Use an existing LDAP directory for user authentication.

Configuration Example

# airflow.cfg
[webserver]
authenticate = True
auth_backend = airflow.providers.ldap.auth_backend

[ldap]
uri = ldaps://ldap.example.com
user_filter = (objectClass=person)
bind_user = cn=admin,dc=example,dc=com
bind_password = ********
basedn = dc=example,dc=com
email_attribute = mail
# Map LDAP groups to Airflow roles
role_mapping = {
    "cn=airflow-admins,ou=groups,dc=example,dc=com": "Admin",
    "cn=airflow-users,ou=groups,dc=example,dc=com": "User"
}

Full Example – Secure Production Setup

# airflow.cfg (excerpt)
[core]
executor = CeleryExecutor
load_examples = False

[webserver]
authenticate = True
auth_backend = airflow.providers.google.common.auth_backend
csrf_enabled = True
base_url = https://airflow.example.com

[secrets]
backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
backend_kwargs = {"connections_path": "secret/data/airflow/conns"}

[ldap]
uri = ldaps://ldap.example.com
bind_user = cn=admin,dc=example,dc=com
bind_password = ********
basedn = dc=example,dc=com
role_mapping = {"cn=airflow-admins,ou=groups,dc=example,dc=com":"Admin"}

[kerberos]
keytab = /etc/airflow/airflow.keytab
principal = airflow/airflow.example.com@EXAMPLE.COM

[api]
auth_backends = airflow.api.auth.backend.basic_auth,airflow.api.auth.backend.session

Apply the configuration, restart the webserver and scheduler, and verify that users can log in, see only the DAGs they are permitted to, and that all credentials are fetched from Vault.