Webserver

This topic describes how to configure Airflow to secure your webserver.

Rendering Airflow UI in a Web Frame from another site

Using Airflow in a web frame is enabled by default. To disable this (and prevent click jacking attacks) set the below:

[webserver]
x_frame_enabled = False

Sensitive Variable fields

By default, Airflow Value of a variable will be hidden if the key contains any words in (‘password’, ‘secret’, ‘passwd’, ‘authorization’, ‘api_key’, ‘apikey’, ‘access_token’), but can be configured to extend this list by using the following configurations option:

[admin]
hide_sensitive_variable_fields = comma_separated_sensitive_variable_fields_list

Web Authentication

By default, Airflow requires users to specify a password prior to login. You can use the following CLI commands to create an account:

# create an admin user
airflow users create \
    --username admin \
    --firstname Peter \
    --lastname Parker \
    --role Admin \
    --email spiderman@superhero.org

It is however possible to switch on authentication by either using one of the supplied backends or creating your own.

To deactivate the authentication and allow users to be identified as Anonymous, the following entry in $AIRFLOW_HOME/webserver_config.py needs to be set with the desired role that the Anonymous user will have by default:

AUTH_ROLE_PUBLIC = 'Admin'

Be sure to checkout Experimental REST API Reference for securing the API.

Note

Airflow uses the config parser of Python. This config parser interpolates '%'-signs. Make sure escape any % signs in your config file (but not environment variables) as %%, otherwise Airflow might leak these passwords on a config parser exception to a log.

Password

One of the simplest mechanisms for authentication is requiring users to specify a password before logging in.

Please use command line interface airflow users create to create accounts, or do that in the UI.

Other Methods

Since the Airflow 2.0, the default UI is the Flask App Builder RBAC. A webserver_config.py configuration file it's automatically generated and can be used to configure the Airflow to support authentication methods like OAuth, OpenID, LDAP, REMOTE_USER.

For previous versions from Airflow, the $AIRFLOW_HOME/airflow.cfg following entry needs to be set to enable the Flask App Builder RBAC UI.

rbac = True

The default authentication option described in the Web Authentication section it's related with the following entry in the $AIRFLOW_HOME/webserver_config.py.

AUTH_TYPE = AUTH_DB

Another way to create users it's in the UI login page, allowing user self registration through a "Register" button. The following entries in the $AIRFLOW_HOME/webserver_config.py can be edited to make it possible:

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Desired Role For The Self Registered User"
RECAPTCHA_PRIVATE_KEY = 'private_key'
RECAPTCHA_PUBLIC_KEY = 'public_key'

MAIL_SERVER = 'smtp.gmail.com'
MAIL_USE_TLS = True
MAIL_USERNAME = 'yourappemail@gmail.com'
MAIL_PASSWORD = 'passwordformail'
MAIL_DEFAULT_SENDER = 'sender@gmail.com'

The package Flask-Mail needs to be installed through pip to allow user self registration since it is a feature provided by the framework Flask-AppBuilder.

To support authentication through a third-party provider, the AUTH_TYPE entry needs to be updated with the desired option like OAuth, OpenID, LDAP, and the lines with references for the chosen option need to have the comments removed and configured in the $AIRFLOW_HOME/webserver_config.py.

For more details, please refer to Security section of FAB documentation.

SSL

SSL can be enabled by providing a certificate and key. Once enabled, be sure to use "https://" in your browser.

[webserver]
web_server_ssl_cert = <path to cert>
web_server_ssl_key = <path to key>

Enabling SSL will not automatically change the web server port. If you want to use the standard port 443, you'll need to configure that too. Be aware that super user privileges (or cap_net_bind_service on Linux) are required to listen on port 443.

# Optionally, set the server to listen on the standard SSL port.
web_server_port = 443
base_url = http://<hostname or IP>:443

Enable CeleryExecutor with SSL. Ensure you properly generate client and server certs and keys.

[celery]
ssl_active = True
ssl_key = <path to key>
ssl_cert = <path to cert>
ssl_cacert = <path to cacert>

Was this entry helpful?