Apache Airflowdevops~7 mins

Authentication backends (LDAP, OAuth) in Apache Airflow - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you want to control who can access your Airflow web interface, you use authentication backends. LDAP and OAuth let you connect Airflow to existing login systems so users can sign in with their usual credentials.

When your company uses LDAP for employee login and you want Airflow to use the same login system.

When you want users to log in to Airflow using their Google or GitHub accounts via OAuth.

When you want to avoid managing separate usernames and passwords for Airflow.

When you want to improve security by using centralized authentication.

When you want to allow single sign-on (SSO) for Airflow users.

Config File - airflow.cfg

airflow.cfg

[webserver]
# Enable authentication
authenticate = True

# Choose the authentication backend
# For LDAP use airflow.contrib.auth.backends.ldap_auth
# For OAuth use airflow.www.fab_security.manager.OAuthUserMixin

# Example LDAP backend configuration
[ldap]
uri = ldap://ldap.example.com
user_filter = (objectClass=person)
bind_user = cn=admin,dc=example,dc=com
bind_password = admin_password
basedn = dc=example,dc=com

# Example OAuth backend configuration
[oauth]
client_id = your_client_id
client_secret = your_client_secret
authorize_url = https://accounts.google.com/o/oauth2/auth
access_token_url = https://accounts.google.com/o/oauth2/token
redirect_uri = http://localhost:8080/oauth2callback

The [webserver] section enables authentication and sets the backend type.

The [ldap] section configures connection details to your LDAP server.

The [oauth] section holds OAuth client credentials and URLs for authorization and token exchange.

You enable one backend at a time by setting the backend path in the webserver section.

Commands

Starts the Airflow webserver on port 8080 with authentication enabled using the configured backend.

Terminal

airflow webserver --port 8080

Expected OutputExpected

Serving Flask app 'airflow.www.app' (lazy loading) * Environment: production * Debug mode: off * Running on http://0.0.0.0:8080/ (Press CTRL+C to quit)

→

--port - Specifies the port number for the webserver

Checks the webserver response to verify that authentication is required before accessing Airflow UI.

Terminal

curl -i http://localhost:8080

Expected OutputExpected

HTTP/1.0 302 FOUND Location: /login Content-Type: text/html; charset=utf-8

Creates a new Airflow user named Alice with Admin role for login when using authentication backends that require user creation.

Terminal

airflow users create --username alice --firstname Alice --lastname Smith --role Admin --email alice@example.com

Expected OutputExpected

User alice created successfully

→

--role - Assigns the user role for permissions

Key Concept

If you remember nothing else from this pattern, remember: configuring Airflow to use LDAP or OAuth lets users log in with existing credentials, improving security and convenience.

Common Mistakes

Not enabling authentication in airflow.cfg (authenticate = False)

Airflow will not require login and will allow open access.

Set authenticate = True in the [webserver] section to enable login.

Using wrong backend path or missing backend configuration

Airflow will fail to authenticate users or fallback to no authentication.

Set the correct backend path in airflow.cfg and provide all required settings for LDAP or OAuth.

Not creating users when required by the backend

Users cannot log in if they do not exist in Airflow's user database.

Use airflow users create command to add users before login.

Summary

Enable authentication in airflow.cfg by setting authenticate = True.

Configure either LDAP or OAuth backend with correct connection and credential details.

Start the Airflow webserver and verify login is required.

Create users if the backend requires it for login.