Roles and Permissions
Apache Airflow provides a robust Role-Based Access Control (RBAC) system that allows you to define granular permissions for different users and groups. This ensures that users can only access and perform actions that are appropriate for their roles.
Core Concepts
- Roles: A role is a collection of permissions. Users are assigned roles, and through these roles, they inherit the associated permissions.
- Permissions: A permission is a specific action that can be performed on a specific resource. For example, 'can_read' on a DAG, 'can_edit' on a Connection.
- Resources: Resources are the objects within Airflow that permissions apply to. This can include DAGs, Connections, Variables, Pools, etc.
Default Roles
Airflow comes with a few default roles:
- Admin: Has all permissions.
- User: Can view DAGs, DAG Runs, and Task Instances. They can also trigger DAGs and clear Task Instances.
- Op: Can view DAGs, DAG Runs, and Task Instances. They can also edit DAGs and clear Task Instances.
- Viewer: Can only view DAGs, DAG Runs, and Task Instances.
Permission Model
The Airflow permission model uses a structure of <action> on <resource_type>. For instance:
can_readonDAGcan_editonConnectioncan_deleteonVariable
Resource Specificity
Permissions can be applied globally or to specific resources. For example:
- A role might have the permission to
can_readany DAG. - A role might have the permission to
can_edita specific DAG namedmy_critical_dag.
Managing Roles and Permissions
You can manage roles and permissions through the Airflow UI or programmatically:
Via the Airflow UI
- Navigate to the Security section in the Airflow UI.
- Click on Roles to view, create, or edit roles.
- When editing a role, you can add or remove permissions from the available list. You can also specify resource-specific permissions.
- Click on Users to manage users and assign them to roles.
Note: Resource-specific permissions require the resource to exist before the permission can be granted.
Via the Command Line Interface (CLI)
The Airflow CLI can be used for managing roles and permissions. For example:
airflow users create --username admin --firstname Admin --lastname User --role Admin --email admin@example.com
airflow roles create --name MyCustomRole
airflow permissions add --role MyCustomRole --permission can_read --resource DAG
airflow permissions add --role MyCustomRole --permission can_edit --resource DAG --dag_id my_specific_dag
Permission Types and Resources
Here's a non-exhaustive list of common permissions and their associated resources:
DAGs
can_read: View DAGs and their details.can_edit: Edit DAG properties (via UI, requires specific DAG edit permissions).can_delete: Delete DAGs (requires specific DAG delete permissions).can_unpause: Unpause DAGs.can_pause: Pause DAGs.can_trigger: Trigger DAGs manually.can_import_dags: Upload DAG files (requires Admin role or specific permissions).
Task Instances
can_read: View task instance details.can_edit: Edit task instance state (e.g., mark as success).can_delete: Delete task instance state.can_run: Run a task instance.can_clear: Clear task instance states.
Connections
can_read: View connection details.can_edit: Edit connection details.can_delete: Delete connections.can_create: Create new connections.
Variables
can_read: View variable values.can_edit: Edit variable values.can_delete: Delete variables.can_create: Create new variables.
Pools
can_read: View pool details.can_edit: Edit pool details.can_delete: Delete pools.can_create: Create new pools.
Tip: For a complete and up-to-date list of all available permissions and resources, refer to the Airflow source code or the Airflow UI's role management section.
Best Practices
- Grant the least privilege necessary.
- Use custom roles for specific teams or functions.
- Regularly review user roles and permissions.
- Leverage the default roles for common use cases.