Given the REST API is upcoming, and the DAG-level access control is in progress as well, maybe let’s revisit this Connection Management topic later when these “infrastructure” is fully ready.
XD On Wed, Sep 19, 2018 at 23:21 Maxime Beauchemin <maximebeauche...@gmail.com> wrote: > Another clear solution is for connection management to go through the > [upcoming] REST API we've been talking about. Then of course we'll need one > permission per connection and a "all_connections" perm that can be added to > roles (much like DAGs but for connections). > > Max > > On Wed, Sep 19, 2018 at 7:25 AM Ash Berlin-Taylor <a...@apache.org> wrote: > > > You are correct that currently all DAGs can access all connections and > > variables. > > > > The other thing to bear in mind: currently PythonOperators have an active > > connection to the metadata DB where connections are stored, so at best > this > > is "co-operative" security, to prevent one team from accessing another > > team's connections, and not a hard barrier against an even mildly > > determined attacker. > > > > As for the implementation of it: it would be worth looking to see if we > > can use the Permissions model built in to FAB (Flask App Builder) that we > > are using in the RBAC-based UI. This would allow for much more granular > > permissions, and provides a pre-existing management UI for it to. > > > > I don't know if this would make the work dependent on the (in progress?) > > DAG-level access controls. > > > > -ash > > > > > On 19 Sep 2018, at 15:00, Deng Xiaodong <xd.den...@gmail.com> wrote: > > > > > > Hi folks, > > > > > > Thinking of a scenario: I may have multiple users in the same Airflow > > > instance. I can use filter_by_owner feature so that each user can only > > see > > > their own DAGs. But what if their DAGs are using different data > sources, > > > say owner A is using mysql_conn_a, and owner B is using mysql_conn_b, > and > > > we don't want to allow them to access each other's database? > > > > > > Seems like all DAG (no matter who is the owner) can access all defined > > > connections? or have I missed something? > > > > > > If my suspicion is making sense, I think it would be necessary to have > > > values "*if_protect*" and "*owner*" for each connection. When > > "if_protect" > > > == True, only DAGs whose owner == "owner" would be able to use this > > > connection. I would like to take this up to prepare a PR. > > > > > > Thanks. > > > > > > XD > > > > >
