astahlman commented on issue #4624: [AIRFLOW-3787] Import/export users from JSON file URL: https://github.com/apache/airflow/pull/4624#issuecomment-459077251 @feng-tao Answers inline: > Could we configure a default role for any new user who has never login before in FAB? Or it has to run airflow users -c first? You don't have to run `users -c` first - the import command will create any users that don't already exist with the `roles` configured in the .json file. I'm not sure how we would use a default, since the `role` field has to be supplied in the .json configuration. > Is there any different behavior when we use different authentication type(e.g LDAP vs OATH)? The behavior of the command should be the same, but the way it's used would be different. I think the ideal process for OAuth is: 1. User registers via the UI, which creates the user in the DB with their username set to the ID used by the identity provider (for Google OAuth, this is a long ID string) 2. An admin updates `<file>.json` to add the user to the appropriate roles 3. Admin (or some automated process) runs `airflow -i <file>.json` to ensure all users are assigned to the correct roles > Is there a way to limit the cli to run by Admin only? I think from security point of view, we should think about this if it doesn't support(could be a different pr). To run this command successfully, the user would need access to the CLI and read-write permissions on the metastore. I think anyone who has both of these should be considered an administrator - right?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
