As an administrator I'd like to be able to centrally authorize actions my users are taking using (ideally) OpenPolicyAgent. However, as documented in this ticket, Airflow - like Superset - is built on Flask and as such offers its own user/role authoriziation, or Flask-related mechanisms.
Airflow does not support Open Policy Agent, which is what we use wherever possible.
Instead, it delegates access control of the webserver UI to Flask directly and offers the following authentication types:
Database
OpenID
LDAP
Remote User
OAuth
Airflow ships with a number of default roles and it is advised to leave these unaltered.
LDAP offers authorization (via group membership) as well as authentication and is probably the most suitable way of implementing Airflow authorization, where appropriate, via Flask. It should be verified that the Flask search filters enable recursive mapping through group memberships.
Issue checklist
Possible duplicate and/or overlapping issue.
As an administrator I'd like to be able to centrally authorize actions my users are taking using (ideally) OpenPolicyAgent. However, as documented in this ticket, Airflow - like Superset - is built on Flask and as such offers its own user/role authoriziation, or Flask-related mechanisms.
Airflow does not support Open Policy Agent, which is what we use wherever possible. Instead, it delegates access control of the webserver UI to Flask directly and offers the following authentication types:
Airflow ships with a number of default roles and it is advised to leave these unaltered. LDAP offers authorization (via group membership) as well as authentication and is probably the most suitable way of implementing Airflow authorization, where appropriate, via Flask. It should be verified that the Flask search filters enable recursive mapping through group memberships.