Looks good to me in general, thanks for putting this together! I think the ability to integrate with external RBAC systems like LDAP is important (i.e. the Airflow DB should not be decoupled with the RBAC database wherever possible).
I wouldn't be too worried about the permissions about refreshing DAGs, as far as I know this functionality is no longer required with the new webservers which reload state periodically, and will certainly be removed when we have a better DAG consistency story. I think it would also be good to think about this proposal/implementation and how it applied in the API-driven world (e.g. when webserver hits APIs like /clear on behalf of users instead of running commands against the database directly). On Mon, Jun 12, 2017 at 11:12 AM, Bolke de Bruin <bdbr...@gmail.com> wrote: > Will respond but im traveling at the moment. Give me a few days. > > Sent from my iPhone > > > On 12 Jun 2017, at 13:39, Chris Riccomini <criccom...@apache.org> wrote: > > > > Hey all, > > > > Checking in on this. We spent a good chunk of time thinking about this, > and > > want to move forward with it, but want to make sure we're all on the same > > page. > > > > Max? Bolke? Dan? Jeremiah? > > > > Cheers, > > Chris > > > > On Thu, Jun 8, 2017 at 1:49 PM, kalpesh dharwadkar < > > kalpeshdharwad...@gmail.com> wrote: > > > >> Hello everyone, > >> > >> As you all know, currently Airflow doesn’t have a built-in Role Based > >> Access Control(RBAC) capability. It does provide very limited > >> authorization capability by providing admin, data_profiler, and user > roles. > >> However, associating these roles to authenticated identities is not a > >> simple effort. > >> > >> To address this issue, I have created a design proposal for building > RBAC > >> into Airflow and simplifying user access management via the Airflow UI. > >> > >> The design proposal is located at https://cwiki.apache.org/ > >> confluence/display/AIRFLOW/Airflow+RBAC+proposal > >> > >> Any comments/questions/feedback are much appreciated. > >> > >> Thanks > >> Kalpesh > >> >