Airflow提供了两种方式来限制用户DAG的查看权限:
在DAG对象上添加一个访问控制列表,其中包含允许/拒绝访问DAG的用户/组。
示例代码:
from airflow import DAG
from airflow.operators.bash_operator import BashOperator
from datetime import datetime
# create DAG
dag = DAG(
dag_id='my_dag',
start_date=datetime(2022, 1, 1),
)
# add ACL to DAG
dag.access_control = {
'allow_user': ['user1', 'user2'],
'allow_group': ['group1', 'group2'],
'deny_user': ['user3'],
'deny_group': ['group3'],
}
# add operators to DAG
task1 = BashOperator(
task_id='task1',
bash_command='echo "Hello World"',
dag=dag,
)
task2 = BashOperator(
task_id='task2',
bash_command='echo "Goodbye World"',
dag=dag,
)
# set dependencies
task2.set_upstream(task1)
在上述代码中,DAG对象“my_dag”具有以下ACL:
对于未包含在ACL列表中的用户/组,将默认禁止访问。
使用RBAC,将用户分配到角色中,可以为每个角色指定不同的权限。这些权限控制哪些用户可以查看/修改DAG,执行任务等。
示例代码:
from airflow import DAG
from airflow.models import DAG
from airflow.utils.dates import days_ago
from airflow.contrib.auth.backends.password_auth import PasswordUser
from airflow.security import permissions, permissions_manager, SecureMultiUserManager
# create DAG
dag = DAG(
dag_id='my_dag',
start_date=datetime(2022, 1, 1),
)
# create users
user1 = PasswordUser(-1, 'user1', 'password1', 'User 1')
user2 = PasswordUser(-1, 'user2', 'password2', 'User 2')
user3 = PasswordUser(-1, 'user3', 'password3', 'User 3')
# configure RBAC
rbac_manager = SecureMultiUserManager()
rbac_manager.add_user(user1)
rbac_manager.add_user(user2)
rbac_manager.add_user(user3)
# assign roles to users
roles = permissions.roles_for_view(permissions.ACTION_CAN_READ,)
rbac_manager.add_role('readers', roles)
roles = permissions.roles_for_view(permissions.ACTION_CAN_EDIT,)
rbac_manager.add_role('editors', roles)
rbac_manager.assign_role_to_user('readers', user1)
rbac_manager.assign_role_to_user('readers', user2)
rbac_manager.assign_role_to_user('editors', user3)
# set DAG permissions
permissions_manager.register_permissions([
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG, 'my_dag'),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG, 'my_dag