GitHub user jun-roh created a discussion: Configuration for SimpleAuthManager credentials and RBAC in Airflow 3.1.5
Hello Airflow team and community, I am currently testing the experimental Airflow 3.1.5 architecture using docker-compose with the new API Server (airflow-apiserver) instead of the traditional Flask-based webserver. I am trying to configure the SimpleAuthManager to use a static username and password via environment variables, but the system seems to ignore my settings and generates a random password at startup. Here is my sanitized docker-compose.yml and .env configuration: Environment & Config: ``` # .env (Sanitized) AIRFLOW_IMAGE_NAME=local-airflow:3.1.5 AIRFLOW_UID=50000 AIRFLOW__API__BASE_URL=https://airflow.example.com AIRFLOW__WEBSERVER__BASE_URL=https://airflow.example.com # Auth Secrets SECRET_KEY=REDACTED_SECRET_KEY AIRFLOW__API_AUTH__JWT_SECRET=${SECRET_KEY} # Database AIRFLOW_DB_HOST=db.example.com AIRFLOW_DB_USER=airflow_user AIRFLOW_DB_PASSWORD=airflow_pass AIRFLOW__DATABASE__SQL_ALCHEMY_CONN=mysql+mysqldb://${AIRFLOW_DB_USER}:${AIRFLOW_DB_PASSWORD}@${AIRFLOW_DB_HOST}/airflow_db # ... other configurations ... ``` ``` # docker-compose.yml (Sanitized) x-airflow-common: &airflow-common image: ${AIRFLOW_IMAGE_NAME} environment: # ---- Auth Config ---- AIRFLOW__API_AUTH__JWT_SECRET: ${SECRET_KEY} # I am trying to set static credentials here: AIRFLOW__SIMPLE_AUTH_MANAGER__USERNAME: "airflow" AIRFLOW__SIMPLE_AUTH_MANAGER__PASSWORD: "airflow" AIRFLOW__SIMPLE_AUTH_MANAGER__DEFAULT_ROLE: "Admin" # Core Settings AIRFLOW__CORE__EXECUTOR: CeleryExecutor AIRFLOW__CORE__SQL_ALCHEMY_CONN: ${AIRFLOW__DATABASE__SQL_ALCHEMY_CONN} AIRFLOW__CORE__EXECUTION_API_SERVER_URL: http://execution-api:8080/execution/ # ... other env vars ... services: airflow-apiserver: <<: *airflow-common command: > bash -c " echo 'Starting Airflow API Server...' && exec airflow api-server --host 0.0.0.0 --port 8080 --workers 1 --apps all " ports: ["8080:8080"] # ... ``` Despite having AIRFLOW__SIMPLE_AUTH_MANAGER__USERNAME and PASSWORD set in the environment, the container logs indicate that a random password is being generated for the user, and I cannot log in with airflow/airflow. I have three questions regarding the authentication in the new Airflow 3.x architecture: 1. How can I enforce a specific username and password? It seems the environment variables AIRFLOW__SIMPLE_AUTH_MANAGER__* are not being picked up or enforced. Is there a different configuration key required to enable static credentials for the airflow-apiserver? 2. How can I verify credentials without relying on startup logs? Is there a CLI command available in the new architecture to check or reset the admin password? (Similar to airflow users create/reset-password in 2.x). 3. How is RBAC (User Permissions) handled in Airflow 3.1.5? In Airflow 2.x, we managed roles and permissions via webserver_config.py. Since the new API Server replaces the Flask AppBuilder webserver, how should we configure granular user permissions or map roles in this new version? Any guidance or references to the documentation for the 3.x auth system would be greatly appreciated. Thank you! GitHub link: https://github.com/apache/airflow/discussions/59514 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
