From 7a07034b61cf41d5c9ea87de631b45e3dd180f3d Mon Sep 17 00:00:00 2001 From: vincbeck Date: Fri, 20 Sep 2024 17:15:52 -0400 Subject: [PATCH] Simple auth manager documentation --- .../auth-manager/index.rst | 5 +- .../auth-manager/index.rst | 4 + .../index.rst} | 8 ++ .../core-concepts/auth-manager/simple.rst | 81 +++++++++++++++++++ .../public-airflow-interface.rst | 2 +- docs/apache-airflow/redirects.txt | 1 + 6 files changed, 98 insertions(+), 3 deletions(-) rename docs/apache-airflow/core-concepts/{auth-manager.rst => auth-manager/index.rst} (97%) create mode 100644 docs/apache-airflow/core-concepts/auth-manager/simple.rst diff --git a/docs/apache-airflow-providers-amazon/auth-manager/index.rst b/docs/apache-airflow-providers-amazon/auth-manager/index.rst index 7d9b226037cf..d83c69ba09e9 100644 --- a/docs/apache-airflow-providers-amazon/auth-manager/index.rst +++ b/docs/apache-airflow-providers-amazon/auth-manager/index.rst @@ -22,8 +22,9 @@ AWS auth manager .. warning:: The AWS auth manager is alpha/experimental at the moment and may be subject to change without warning. -Before reading this, you should be familiar with the concept of auth manager. -See :doc:`apache-airflow:core-concepts/auth-manager`. +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. The AWS auth manager is an auth manager powered by AWS. It uses two services: diff --git a/docs/apache-airflow-providers-fab/auth-manager/index.rst b/docs/apache-airflow-providers-fab/auth-manager/index.rst index 8d19ff56498d..d8d1a06adae5 100644 --- a/docs/apache-airflow-providers-fab/auth-manager/index.rst +++ b/docs/apache-airflow-providers-fab/auth-manager/index.rst @@ -18,6 +18,10 @@ Flask AppBuilder (FAB) auth manager =================================== +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. + FAB auth (for authentication/authorization) manager is the auth manager that comes by default with Airflow. This auth manager defines the user authentication and user authorization by default in Airflow. The backend used to store all entities used by the FAB auth manager is the Airflow database: :doc:`apache-airflow:database-erd-ref`. diff --git a/docs/apache-airflow/core-concepts/auth-manager.rst b/docs/apache-airflow/core-concepts/auth-manager/index.rst similarity index 97% rename from docs/apache-airflow/core-concepts/auth-manager.rst rename to docs/apache-airflow/core-concepts/auth-manager/index.rst index 521264fd78ba..b219bb949915 100644 --- a/docs/apache-airflow/core-concepts/auth-manager.rst +++ b/docs/apache-airflow/core-concepts/auth-manager/index.rst @@ -37,6 +37,14 @@ If you want to check which auth manager is currently set, you can use the $ airflow config get-value core auth_manager airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager +Available auth managers to use +------------------------------ + +Here is the list of auth managers available today you can use in your Airflow environment. + +* :doc:`/core-concepts/auth-manager/auth-manager/index` +* :doc:`apache-airflow-providers-fab:auth-manager/index` +* :doc:`apache-airflow-providers-amazon:auth-manager/index` Why pluggable auth managers? ---------------------------- diff --git a/docs/apache-airflow/core-concepts/auth-manager/simple.rst b/docs/apache-airflow/core-concepts/auth-manager/simple.rst new file mode 100644 index 000000000000..2bd30004551a --- /dev/null +++ b/docs/apache-airflow/core-concepts/auth-manager/simple.rst @@ -0,0 +1,81 @@ + .. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + .. http://www.apache.org/licenses/LICENSE-2.0 + + .. Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +Simple auth manager +=================== + +.. note:: + Before reading this, you should be familiar with the concept of auth manager. + See :doc:`apache-airflow:core-concepts/auth-manager/index`. + +.. warning:: + The simple auth manager is intended to be used for development and testing purposes. It should not be used in production environment. + +The simple auth manager is the auth manager that comes by default in Airflow 3. As its name suggests, +the logic and implementation of the simple auth manager is **simple**. + +Manage users +------------ + +Users are managed through the `webserver config file `__. +In this file, the list of users are defined in the constant ``SIMPLE_AUTH_MANAGER_USERS``. Example: + +.. code-block:: python + + SIMPLE_AUTH_MANAGER_USERS = [ + { + "username": "admin", + "role": "admin", + } + ] + +Each user needs two pieces of information: + +* **username**. The user's username +* **role**. The role associated to the user. For more information about these roles, :ref:`see next section `. + +The password is auto-generated for each users and printed out in the webserver logs. +When generated, these passwords are also saved in your environment, therefore they will not change if you stop or restart your environment. + +.. _roles-permissions: + +Manage roles and permissions +---------------------------- + +There is no option to manage roles and permissions in simple auth manager. They are defined as part of the simple auth manager implementation and cannot be modified. +Here is the list of roles defined in simple auth manager. These roles can be associated to users. + +* **viewer**. Read-only permissions on DAGs, assets and pools +* **user**. **viewer** permissions plus all permissions (edit, create, delete) on DAGs +* **op**. **user** permissions plus all permissions on pools, assets, config, connections and variables +* **admin**. All permissions + +Optional features +----------------- + +Disable authentication and allow everyone as admin +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This option allow you to disable authentication and allow everyone as admin. +As a consequence, whoever access the Airflow UI is automatically logged in as an admin with all permissions. + +To enable this feature, you need to set the constant ``SIMPLE_AUTH_MANAGER_ALL_ADMINS`` to ``True`` in the `webserver config file `__. +Example: + +.. code-block:: python + + SIMPLE_AUTH_MANAGER_ALL_ADMINS = True diff --git a/docs/apache-airflow/public-airflow-interface.rst b/docs/apache-airflow/public-airflow-interface.rst index ee5b80e42fb2..2853c6fbe2e1 100644 --- a/docs/apache-airflow/public-airflow-interface.rst +++ b/docs/apache-airflow/public-airflow-interface.rst @@ -337,7 +337,7 @@ derived from :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager`. The auth manager interface itself (the :class:`~airflow.auth.managers.base_auth_manager.BaseAuthManager` class) is public, but the different implementations of auth managers are not (i.e. FabAuthManager). -You can read more about auth managers and how to write your own in :doc:`core-concepts/auth-manager`. +You can read more about auth managers and how to write your own in :doc:`core-concepts/auth-manager/index`. Authentication Backends ----------------------- diff --git a/docs/apache-airflow/redirects.txt b/docs/apache-airflow/redirects.txt index 542840535fb1..8f5bac18abfe 100644 --- a/docs/apache-airflow/redirects.txt +++ b/docs/apache-airflow/redirects.txt @@ -100,6 +100,7 @@ logging-monitoring/index.rst administration-and-deployment/logging-monitoring/in concepts/index.rst core-concepts/index.rst executor/index.rst core-concepts/executor/index.rst upgrading-from-1-10/index.rst howto/upgrading-from-1-10/index.rst +core-concepts/auth-manager.rst core-concepts/auth-manager/index.rst listeners.rst administration-and-deployment/listeners.rst kubernetes.rst administration-and-deployment/kubernetes.rst