Using Airflow Role-Based Access Control in the web interface

Overall access to the Airflow web UI in Cloud Composer is controlled by IAM. Users first have to authenticate to Cloud Identity-Aware Proxy (IAP) and have proper IAM permissions before they can access the web UI.

However, once users access Airflow web UI, IAM does not provide any additional fine-grained permission control in the Airflow web UI. With this feature, you can enable fine-grained Airflow-native Role-Based Access Control (RBAC) inside Airflow web UI.

Please note that RBAC UI is a feature of Airflow, with its own model of users, roles, permissions, distinct from IAM.

Enabling the RBAC UI

To enable the RBAC UI, override the following Airflow configuration property:

Section Key Value
webserver rbac True

You can do so for an existing environment, or when creating a new environment. With this configuration, your environment runs the RBAC Airflow UI instead of the classic Airflow UI.

Using the RBAC UI

From the RBAC UI, access control settings can be configured using the links under the Security menu. See the Airflow RBAC UI documentation for more information on the RBAC model, available permissions, and default roles.

Airflow treats the User role as the template for all custom roles. This means that Airflow will continually copy permissions from the User role to all custom roles, except for the permissions for all_dags.

Airflow RBAC maintains its own list of users, meaning that users with the Admin role (or equivalent) can view the list of users who have opened this instance of the Airflow UI, and have been registered for Airflow RBAC.

Registering users in the RBAC UI

New users are automatically registered when they open the Airflow RBAC UI associated with a given Cloud Composer environment for the first time.

At registration, users are granted the role specified in the [webserver]rbac_user_registration_role Airflow configuration override. You can control the role of newly registered users by updating the environment and changing this configuration. If unspecified, the default registration role is Admin.

The steps below are recommended for creating a basic role configuration for the Airflow RBAC UI:

  1. Would-be environment administrators should visit the Airflow RBAC UI for the newly created environment, where they will be automatically registered with the Admin role.
  2. The environment owner should update it with the Airflow configuration override [webserver]rbac_user_registration_role set to the desired role for new users. For example: [webserver]rbac_user_registration_role = User (or another non-Admin role).
  3. Admins can configure access control for new users, including granting the Admin role to other users.

Removing users

Deleting a user from RBAC will not revoke access for that user, as they will be automatically registered again next time they visit the Airflow UI. To revoke access to the entire Airflow UI, remove the composer.environments.get permission from their access policy in Cloud IAM for your project. You can also change the user's role in the RBAC UI to Public, which will maintain the user's registration, but remove all permissions for the Airflow UI.

Configuring DAG-level permissions

You can configure DAG-level permissions for custom roles to specify which DAGs are visible by which user groups.

To configure DAG separation in Airflow RBAC UI, follow these steps:

  1. The Admin creates empty roles for grouping DAGs
  2. The Admin assigns users to appropriate roles
  3. The Admin or users assign DAGs to roles
  4. Users can only see DAGs in the UI whose permissions have been assigned to a group where that user belongs

DAGs can be assigned to roles either via DAG properties, or from the RBAC UI.

Assigning DAGs to roles in DAG properties

The DAG developer can set the access_control DAG parameter on the DAGs they upload, specifying the DAG-grouping role(s) to which the DAG will be assigned:

dag = DAG(
    'DagGroup': {'can_dag_edit', 'can_dag_read'},

Then the Admin, DAG developer, or an automated process must run the sync_perm Airflow command to apply the new access control settings.

Assigning DAGs to roles in the RBAC UI

An Admin can also assign the desired DAG-level permissions to the appropriate role(s) in the Airflow UI.