This topic describes how to configure Airflow to secure your workload.
Airflow has the ability to impersonate a unix user while running task
instances based on the task's
run_as_user parameter, which takes a user's name.
NOTE: For impersonations to work, Airflow must be run with
sudo as subtasks are run
sudo -u and permissions of files are changed. Furthermore, the unix user needs to
exist on the worker. Here is what a simple sudoers file entry could look like to achieve
this, assuming as airflow is running as the
airflow user. Note that this means that
the airflow user must be trusted and treated the same way as the root user.
airflow ALL=(ALL) NOPASSWD: ALL
Subtasks with impersonation will still log to the same folder, except that the files they log to will have permissions changed such that only the unix user can write to it.
To prevent tasks that don't use impersonation to be run with
sudo privileges, you can set the
core:default_impersonation config which sets a default user impersonate if
[core] default_impersonation = airflow