[I] Add Security Audit Logging for Authentication and Authorization Events [airflow]

Thu, 10 Apr 2025 14:44:45 -0700 


lujiefsi opened a new issue, #48916:
URL: https://github.com/apache/airflow/issues/48916

   ### Description
   
   
   ## Current Situation
   Currently, Airflow has comprehensive logging for DAG-related events (like 
DAG pausing, running, etc.) through the `Log` model. However, I notice that 
there seems to be a lack of detailed audit logging for security-related events, 
specifically:
   
   1. Authentication events:
      - Login attempts (successful/failed)
      - Password changes
      - Session management
      - API token usage
   
   2. Authorization events:
      - Permission checks
      - Access denials
      - Role changes
      - Permission grants/revokes
   
   
   
   ## Questions
   1. Is my understanding correct about the current state of security audit 
logging in Airflow?
   2. Are there any plans to implement comprehensive security audit logging?
   3. If yes, is there already a design proposal or timeline for this feature?
   
   ## Potential Solution
   We could extend the current `Log` model or create a new `SecurityAuditLog` 
model to capture these events. Example structure:
   ```python
   class SecurityAuditLog(Base):
       __tablename__ = 'security_audit_log'
       
       id = Column(Integer, primary_key=True)
       timestamp = Column(DateTime, default=datetime.utcnow)
       event_type = Column(String)  # LOGIN, PERMISSION_CHECK, etc.
       user = Column(String)
       status = Column(String)  # SUCCESS, FAILURE
       details = Column(JSON)
       ip_address = Column(String)
       user_agent = Column(String)
   
   
   ### Use case/motivation
   
   ## Use Cases
   Having security audit logs would be valuable for:
   - Security compliance requirements
   - Security incident investigations
   - User access pattern analysis
   - Troubleshooting authentication issues
   - Detecting potential security breaches
   
   ### Related issues
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to