Re: [I] Add Security Audit Logging for Authentication and Authorization Events [airflow]

Thu, 29 May 2025 12:02:15 -0700 


paulobitar commented on issue #48916:
URL: https://github.com/apache/airflow/issues/48916#issuecomment-2920312650

   > ## Current Situation
   > Currently, Airflow has comprehensive logging for DAG-related events (like 
DAG pausing, running, etc.) through the `Log` model. However, I notice that 
there seems to be a lack of detailed audit logging for security-related events, 
specifically:
   > 
   > 1. Authentication events:
   >    
   >    * Login attempts (successful/failed)
   >    * Password changes
   >    * Session management
   >    * API token usage
   > 2. Authorization events:
   >    
   >    * Permission checks
   >    * Access denials
   >    * Role changes
   >    * Permission grants/revokes
   > 
   > ## Questions
   > 1. Is my understanding correct about the current state of security audit 
logging in Airflow?
   > 2. Are there any plans to implement comprehensive security audit logging?
   > 3. If yes, is there already a design proposal or timeline for this feature?
   > 
   > ## Potential Solution
   > We could extend the current `Log` model or create a new `SecurityAuditLog` 
model to capture these events. Example structure:
   > 
   > class SecurityAuditLog(Base):
   >     __tablename__ = 'security_audit_log'
   >     
   >     id = Column(Integer, primary_key=True)
   >     timestamp = Column(DateTime, default=datetime.utcnow)
   >     event_type = Column(String)  # LOGIN, PERMISSION_CHECK, etc.
   >     user = Column(String)
   >     status = Column(String)  # SUCCESS, FAILURE
   >     details = Column(JSON)
   >     ip_address = Column(String)
   >     user_agent = Column(String)
   > ### Use case/motivation
   > Having security audit logs would be valuable for:
   > 
   > * Security compliance requirements
   > * Security incident investigations
   > * User access pattern analysis
   > * Troubleshooting authentication issues
   > * Detecting potential security breaches
   > 
   > ### Related issues
   > _No response_
   > 
   > ### Are you willing to submit a PR?
   > * [ ]  Yes I am willing to submit a PR!
   > 
   > ### Code of Conduct
   > * [x]  I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   
   This would be Great ! I just found this post because I'm facing the same 
problem. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to