### **9.6 - RBAC UI**

So far, we have seen how to create a user account and filter DAGs based on the user and the owner

parameter defined in the DAGs.

That's great

but at some point you may need a system allowing you to be more specific about what a category of users

can do and cannot do with airflow.

For example, you may have data engineers working in two different teams such as the marketing team and

the financial team.

Each team would be allowed to access only a specific set of DAGs corresponding to their skill domains.

Well, thanks to the new Role Based Access Control feature of Airflow, you are now able to apply this

this kind of rules by creating a set of users along with their roles where each role has a specific set of permissions.

Let’s say the Data Engineers should not be able to access the view Variables,

well you can do that. Airflow brings 5 roles which are Admin, User, Op, Viewer and Public.

Each role with its own set of permissions.

If you take a look at the documentation here, you have the descriptions as well as the permissions of

each role.

For example, Admin are users having all the possible permissions including granting or revoking permissions

from other roles. Viewers have read access to DAGs but cannot modify the state of Airflow metadata

base and so on. What you can see here, are the different permissions set to the role Viewer on this

set of limited web views.

All right, without further waiting let’s create some users with their corresponding roles. First, from your code

editor,

check that you are under the folder airflow-materials/airflow-section-9 and open the file airflow

.cfg. Then, look for the parameter “rbac”.

Set it to True so that the RBAC is enabled. Save the file and open your terminal. Check that you are under

the folder airflow-materials/airflow-section-9 with the docker containers running as shown by

the command “docker ps”.

Next, restart the webserver by typing “docker-compose -f

docker-compose-CeleryExecutor.yml restart webserver”.

Enter.

OK.

the web server is running again. Type “docker ps”,

then “docker logs”

with the container id of the web server.

As you can see here, there are some logs indicating that no user yet created ,

the roles are being synchronized, the permissions are fetched and so on.

So let’s create a new account. Type “docker exec -it “,

paste the container id of the web server,

“/bin/bash”.

Enter.

Now if you type “airflow list_users”.

We have a warning telling us that no user yet created and effectively no user exists as shown from the

table here.

So first we have to create the user admin. To do this

execute the command “airflow create_user

-r Admin

--username admin

--password admin

--email admin@airflow.com

--firstname marc

--lastname lamberti”.

Basically this command will create an account admin with the password admin as well. The role is Admin,

meaning the user will have access to everything.

Notice the parameters email, firstname and lastname which are also required. Enter.

Ok, let’s check if the user has been well created. Type “airflow list_users”,

and as you can see, no more warning and we got the Admin account as shown here.

Perfect.

Back to your web browser,

open a new tab and type localhost:8080.

Enter. And we got the authentication page.

Maybe you didn’t notice it, but the page is actually different than the one we used in the previous

video with the backend password.

Don’t forget that these two systems are totally independent. User accounts created with the password

backend are not valid when RBAC is activated.

So if we type admin for the username

and admin as well for the password,

then “Sign in” we got connected to the Airflow UI with the account as shown here.

If you click on it, then “profile”, you got different information such as the role of the account,

how many times it logged into the UI, some personal information and so on.

If you click on “DAGs”, notice that you have access to all DAGs since you are the admin.

Ok.

If you carefully observed the UI, you should have noticed the new section “Security” from the header right

here. Click on it.

Here, you got multiple pages divided in two categories.

The first one is about users and roles whereas the second one is to get the list of available permissions.

For example, let’s go to “Base permissions”.

Here we go the list of base permissions such as can_edit, can_list, menu_

access and so on.

Then, back to the security, “Views/Menus” gives you the list of all available views/menus that

you can restrict the access of.

Finally, “Permissions on Views/Menus” shows the list of all permissions related to views/menus.

If we click on “Search”, then “Add filter”, “permission” and type “can edit”.

“Search”.

These are the views where the permission “can_

edit” applied. So if the user is set with a role having the permission can_edit, then all of

these views can be potentially modified.

Ok to make things more clear, let’s create a new user

but this time, from the UI.

Click on “Security”, then “List Users”.

Add a new record by clicking here, and we got the same information to fill than with the command line

interface.

So let’s say the first name is “Eric”, last name

“Pete”,

user name

“eric” ,

“is active” yes,

“email”

we type “eric@airflow.com”,

for the “Role” we select

“Viewer”

and the password is “eric”.

Click on “Save” and we got a new user as shown here. Before moving forward,

notice that viewer role assigned to eric restrict him to only read DAGs

and so, he won’t be able to modify or trigger anything from the user interface.

Let's log out

We type “eric” in both the username and password fields.

“Sign In”. And we got logged in as “eric”. First,

you can see that the “Security” button is not available anymore.

Now, if we try to trigger the DAG logger_dag for example, we got “Access Denied” as expected.

All right. Let me show you something.

If you click “Browse”, then “Logs”, as you can see here, we have the command we execute in to create

the user Admin with the password in clear. Pretty insecure isn’t it.

Let’s edit the role so that Viewers won’t be able to access this page anymore.

“Logout”,

login as admin again.

Go to “Security”, “List Roles”, look for “Viewer” here and click on this button to edit the role.

From there, we obtain the name of the role as well as all granted permissions.

Look for the permission “menu access on Logs”

here, and remove it. OK,

click on “save”, logout,

we connect to the eric account.

Now, if we click on “Browse”, the logs button isn’t accessible anymore.

Perfect.

There is one more thing I would like to show you.

Let’s say Eric belongs to the marketing team

and so you don’t want to give him the access of the DAG finance_dag.

Indeed, if you click on it, then “Code”, Eric can see the code of the DAG which may not be desirable if

it contains sensitive data. To fix,

let’s create a new role specifically designed for the marketing team.

Logout,

log in with Admin,

“Security”, “List Roles”, select the role “Viewer” by clicking here,

then “Actions”, “Copy Role”,

“Ok”,

and at the bottom of the page, we got the new role.

Edit it, change the name by Marketing,

remove the permission

“can dag read all_dag” at the bottom of the permissions. So at this point, Eric can’t read

any DAGs. Click on the permissions, type

Can Dag read and select on marketing_dag. “Save”. Last thing, go to “Security”, “List Users”,

edit eric and change the role from “viewer” to “marketing”.

“Save” and go back to the account of Eric.

As you can see, this time Eric can only see the DAG belonging to his team.

That’s how you can tweak the permissions of your DAG so that you choose which users can see what

and so on.

I strongly advise you to take a look at the list of permissions and to play with the roles and users.

There are many available permissions and it’s absolutely required to configure them correctly

if you are using Airflow in a company.

All right,

it was a pretty big video but now you are able to set the right permissions to the right users and be

more relaxed.

So I hope enjoyed what you have learned,

take a nice break and see you in the next video.
