This topic describes how to configure Airflow to secure your workload.
Airflow has the ability to impersonate a unix user while running task
instances based on the task’s
run_as_user parameter, which takes a user’s name.
NOTE: For impersonations to work, Airflow requires
sudo as subtasks are run
sudo -u and permissions of files are changed. Furthermore, the unix user
needs to exist on the worker. Here is what a simple sudoers file entry could look
like to achieve this, assuming airflow is running as the
airflow user. This means
the airflow user must be trusted and treated the same way as the root user.
airflow ALL=(ALL) NOPASSWD: ALL
Subtasks with impersonation will still log to the same folder, except that the files they log to will have permissions changed such that only the unix user can write to it.
To prevent tasks that don’t use impersonation to be run with
sudo privileges, you can set the
core:default_impersonation config which sets a default user impersonate if
[core] default_impersonation = airflow