search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
37.01k stars 14.27k forks source link

Support non-public schema for PostgreSQL 15+ #40532

Open lewijw opened 4 months ago

lewijw commented 4 months ago

Description

For PostgreSQL setup, the doc says:

-- PostgreSQL 15 requires additional privileges: GRANT ALL ON SCHEMA public TO airflow_user;

For security-concerned customers that do not want to use the public schema, it would be nice if the schema to use could be configurable.

Use case/motivation

For security sake, use a schema other than public.

Related issues

No response

Are you willing to submit a PR?

Code of Conduct

jiajie-chen commented 3 months ago

FWIW, it seems like replacing the GRANT ... public with the following allowed using a different schema:

-- Assuming you have an `airflow` user to assign to the `airflow` schema
CREATE SCHEMA AUTHORIZATION airflow;
GRANT ALL ON SCHEMA airflow TO airflow;
ALTER USER airflow SET search_path = airflow;
-- If you're on Postgres <15, also remove permissions to `public`

This was tested with the Airflow apache/airflow:2.9.2-python3.9 Docker image, running airflow db migrate against Postgres 15.7. All tables were created in the airflow schema.