vincbeck opened a new issue, #41683: URL: https://github.com/apache/airflow/issues/41683
### Description The purpose of this task is to describe the auth manager that is intended to be the default auth manager in Airflow 3. For convenience, we'll call it simple auth manager. See [auth manager documentation](https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/auth-manager.html) for more details about what is an auth manager. ### Use case/motivation As part of AIP-79, we want to remove FAB from Airflow 3. The current default auth manager in Airflow 2 is based on FAB ([FabAuthManager](https://github.com/apache/airflow/blob/main/airflow/providers/fab/auth_manager/fab_auth_manager.py)). Therefore, to achieve this goal, we need to find a replacement of `FabAuthManager` as default auth manager in Airflow 3. The intended usage of this new auth manager is only for development and testing purposes. It should not be used in production. It should only support some default set of Roles and no flexibility in defining roles or mapping them to capabilities (resource types it can access and whether they can be read or written). For production use cases, other auth managers will be implemented later/separately (e.g. KeyCloak auth manager, Casdoor auth manager, ...). Simple auth manager is fully config-controlled, it will not use the database. ## List of users The idea is to have the list of users defined in config. The current config format used in Airflow (INI format) does not allow lists, therefore a workaround will need to be found to represent such list of users. This can be done during implementation. On the high level, the list of users will look like this. The format used here is JSON but this is just for the example, as mentioned before, the exact format will be defined during implementation. ``` users = [ { username: "admin", password: "admin" role: "Admin" }, { username: "john", password: "my-secret-password" role: "Viewer" } ] ``` _If the Airflow config format changes in the future (say, TOML), we will consider leveraging this new format to represent the different users._ ## Roles The roles will be defined as part of the simple auth manager. It will not be configurable neither extendable. It will not be possible by the user to configure/add/modify roles in the simple auth manager. The predefined roles in the simple auth manager are the roles [coming out of the box in `FabAuthManager` as defined in the documentation](https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/access-control.html). Here are the roles: - Viewer - User - Op - Admin The permissions associated to each role will correspond to the permissions defined in [the documentation ](https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/access-control.html). ### Related issues _No response_ ### Are you willing to submit a PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
