search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
36.37k stars 14.1k forks source link

Enhance impersonation on Restful API #16398

Open msolano00 opened 3 years ago

msolano00 commented 3 years ago

Description I would like one parameter in the REST API configuration object (we can reuse the existing run_as_user maybe) to allow me trigger a DAG as an authenticated as long as this "superuser" has a role/policy that allows to impersonate other users.

Use case / motivation I want to build a task system that submits tasks to Airflow (along with other tools we use, in a SSO way). Users will be authenticated previously when logging to this tasks system and should be able to trigger DAGs. This DAGs have to run AS the user. WEBHDFS (Apache HDFS restful api) achieves something similar.

Are you willing to submit a PR? I would indeed! It might just take some time since I am fairly new to Airflow

Related Issues Yes: https://github.com/apache/airflow/issues/982

boring-cyborg[bot] commented 3 years ago

Thanks for opening your first issue here! Be sure to follow the issue template!

ashb commented 3 years ago

Do you want the run_as_user value of the dag to change based on which user submits the trigger DAG API call?

That is not currently possible at all, so this is a bigger feature request than you might realise -- the run_as_user and all other task properties for a DAG come from the python file, and the python file only, so there's no real mechansim to control this.

So first step on this: we need to come up with a design for letting some properties of the dag be overridden based on the DagRun.

We have dagrun.conf already, which is one possible way, but that is only accessible to DAGs via template (i.e. {{ dag_run.conf.some_param }}) which only applies to some fields.

🤔

msolano00 commented 3 years ago

@ashb Hi, thanks you for reply and sorry for the late response, got pulled into something at work.

Yes, exactly that is the behavior. Have a property that allows authenticated users (like a service account) to run jobs as other users.

So first step on this: we need to come up with a design for letting some properties of the dag be overridden based on the DagRun.

I will take a look into the core modules of airflow and reply back here once I have a better understanding of how it is being setup.