Apache Airflowdevops~5 mins

Role-based access control (RBAC) in Apache Airflow - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Role-based access control (RBAC) helps you control who can do what in Apache Airflow. It solves the problem of managing permissions for different users by assigning roles with specific access rights.

When you want to let some users only view workflows but not change them

When you need to allow operators to trigger tasks but not modify DAGs

When you want to restrict access to sensitive data or logs to certain users

When you want to manage permissions easily by grouping users into roles

When you want to audit who accessed or changed Airflow resources

Config File - airflow.cfg

airflow.cfg

[webserver]
rbac = True

[api]
auth_backend = airflow.api.auth.backend.basic_auth

[security]
# Default roles: Admin, User, Op, Viewer

This configuration file enables RBAC in Airflow by setting rbac = True under the webserver section. It also configures basic authentication for the API. The security section notes the default roles available for assignment.

Commands

This command creates a new Airflow user named Alice with the Admin role, giving her full access to Airflow features.

Terminal

airflow users create --username alice --firstname Alice --lastname Smith --role Admin --email alice@example.com

Expected OutputExpected

User "alice" created successfully

→

--username - Sets the username for the new user

→

--role - Assigns the role that defines permissions

→

--email - Sets the user's email address

This command creates a user named Bob with the Viewer role, allowing him to only view Airflow resources without making changes.

Terminal

airflow users create --username bob --firstname Bob --lastname Lee --role Viewer --email bob@example.com

Expected OutputExpected

User "bob" created successfully

→

--role - Assigns read-only permissions to the user

This command lists all users and their roles to verify who has access and what permissions they have.

Terminal

airflow users list

Expected OutputExpected

Username Firstname Lastname Email Role alice Alice Smith alice@example.com Admin bob Bob Lee bob@example.com Viewer

This command shows all available roles in Airflow and their permissions to help you decide which role to assign.

Terminal

airflow roles list

Expected OutputExpected

Role Admin User Op Viewer

Key Concept

If you remember nothing else from RBAC, remember: assign roles to users to control exactly what they can see and do in Airflow.

Common Mistakes

Not enabling RBAC in airflow.cfg before creating users

Users and roles won't be recognized without RBAC enabled, so permissions won't work

Set 'rbac = True' under the [webserver] section in airflow.cfg and restart Airflow

Assigning Admin role to all users by default

Gives unnecessary full access, increasing security risks

Assign least privilege roles like Viewer or User unless full access is needed

Not verifying user roles with 'airflow users list'

You might not notice wrong or missing permissions causing access issues

Regularly run 'airflow users list' to confirm correct role assignments

Summary

Enable RBAC in airflow.cfg by setting 'rbac = True' under the webserver section.

Create users with specific roles using 'airflow users create' to control access.

Use 'airflow users list' and 'airflow roles list' to verify users and available roles.