Using Airflow Role-Based Access Control in the web interface

Cloud Composer 1 | Cloud Composer 2

Access to the Airflow UI in Cloud Composer is controlled by Identity and Access Management. Users first must authenticate to Identity-Aware Proxy (IAP) and have proper IAM permissions before they can access the web UI.

However, once users access the Airflow web UI, IAM does not provide any additional fine-grained permission control in the Airflow UI. With this feature, you can enable fine-grained Airflow-native Role-Based Access Control (RBAC) inside Airflow web UI.

Please note that RBAC UI is a feature of Airflow, with its own model of users, roles, permissions, distinct from IAM.

Enabling the RBAC UI

Airflow 2

The Airflow RBAC UI is always enabled in Airflow 2.

Airflow 1

To enable the RBAC UI, override the following Airflow configuration option:

Section Key Value
webserver rbac True

You can do so for an existing environment, or when creating a new environment.

With this configuration, your environment runs the RBAC Airflow UI instead of the classic Airflow UI.

Using the RBAC UI

From the RBAC UI, access control settings can be configured using the links under the Security menu. See the Airflow RBAC UI documentation for more information on the RBAC model, available permissions, and default roles.

Airflow treats the User role as the template for all custom roles. This means that Airflow will continually copy permissions from the User role to all custom roles, except for the permissions for all_dags.

Airflow RBAC maintains its own list of users, meaning that users with the Admin role (or equivalent) can view the list of users who have opened this instance of the Airflow UI, and have been registered for Airflow RBAC.

Registering users in the RBAC UI

New users are automatically registered when they open the Airflow RBAC UI associated with a given Cloud Composer environment for the first time.

At registration, users are granted the role specified in the [webserver]rbac_user_registration_role Airflow configuration option. You can control the role of newly registered users by overriding this configuration option with a different value.

If not specified, the default registration role is Op in environments with Airflow 2.

In environments with Airflow 1.10.*, the default registration role is Admin.

The steps below are recommended for creating a basic role configuration for the Airflow RBAC UI:

Airflow 2

  1. Environment administrators visit the Airflow RBAC UI for the newly created environment.

  2. Grant the administrator accounts the Admin role. The default role for new accounts in environments with Airflow 2 is Op. To assign the Admin role, run the following Airflow CLI command with gcloud:

      gcloud beta composer environments run ENVIRONMENT_NAME \
        --location LOCATION \
        users add-role -- -e USER_EMAIL -r Admin
    

    Replace:

    • ENVIRONMENT_NAME with the name of the environment.
    • LOCATION with the Compute Engine region where the environment is located.
    • USER_EMAIL with the email of a user account.
  3. Admins can now configure access control for new users, including granting the Admin role to other users.

Airflow 1

  1. Environment administrators visit the Airflow RBAC UI for the newly created environment, where they are automatically registered with the Admin role.
  2. Override the following Airflow configuration option to the required role for new users. For example, to User.

    Section Key Value
    webserver rbac_user_registration_role User or other non-Admin role
  3. Admins can now configure access control for new users, including granting the Admin role to other users.

Removing users

Deleting a user from RBAC will not revoke access for that user, as they will be automatically registered again next time they visit the Airflow UI. To revoke access to the entire Airflow UI, remove the composer.environments.get permission from their access policy in IAM for your project. You can also change the user's role in the RBAC UI to Public, which will maintain the user's registration, but remove all permissions for the Airflow UI.

Configuring DAG-level permissions

You can configure DAG-level permissions for custom roles to specify which DAGs are visible by which user groups.

To configure DAG separation in Airflow RBAC UI, follow these steps:

  1. The Admin creates empty roles for grouping DAGs
  2. The Admin assigns users to appropriate roles
  3. The Admin or users assign DAGs to roles
  4. Users can only see DAGs in the UI whose permissions have been assigned to a group where that user belongs

DAGs can be assigned to roles either via DAG properties, or from the RBAC UI.

Assigning DAGs to roles in DAG properties

The DAG developer can set the access_control DAG parameter on the DAGs they upload, specifying the DAG-grouping role(s) to which the DAG will be assigned:

dag = DAG(
  access_control={
    'DagGroup': {'can_dag_edit', 'can_dag_read'},
  },
  ...
  )

Then the Admin, DAG developer, or an automated process must run the sync_perm Airflow command to apply the new access control settings.

Assigning DAGs to roles in the RBAC UI

An Admin can also assign the desired DAG-level permissions to the appropriate role(s) in the Airflow UI.

What's next