Considerations for Using Airflow CLI Commands

Describes security considerations for using Airflow CLI commands.

EEP 9.2.2 and higher, and Airflow 2.8.3 has four types of security options related to the use of Airflow CLI commands. In opt/mapr/airflow/airflow-<version>/conf/airflow.cfgfile, you can set one of the following four options:

Option 1: This is default option. When admin_only_cli_access = false and admin_cli_with_impersonation = false:
  • Only users with Data Fabric tickets can use Airflow CLI commands.
  • If a user that has no ticket issues a CLI command, the command line returns an error. For example:
    $ airflow users create --username mapr1 --firstname mapr1 --lastname mapr1 -p mapr1 --role Admin --email admin3@example.org
    Traceback (most recent call last):
      File "/opt/mapr/airflow/airflow-2.6.1/bin/airflow", line 8, in <module>
        sys.exit(main())
      File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/__main__.py", line 45, in main
        resp = security_client.start("maprsasl")[2]
      File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/security/maprsasl.py", line 73, in start
        return True, mechanism, self.get_init_response()
      File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/security/maprsasl.py", line 55, in get_init_response
        server_key_bytes = maprsecurity.GetTicketAndKeyForClusterInternal(MAPR_CLUSTER_NAME, 1)
    SystemError: <built-in function GetTicketAndKeyForClusterInternal> returned NULL without setting an error
  • Only the cluster administrator (typically the mapr user) can issue commands related to Airflow users. For example, only the cluster admin can issue the airflow users list command or create the admin user role. An exception is generated if a non-cluster-admin user issues a command such as airflow users list. For example:
    $ airflow users list
    Traceback (most recent call last):
      File "/opt/mapr/airflow/airflow-2.6.1/bin/airflow", line 8, in <module>
        sys.exit(main())
    .........................................................................................................
      File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/cli/commands/user_command.py", line 38, in <module>
        class UserSchema(Schema):
      File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/cli/commands/user_command.py", line 42, in UserSchema
        raise Exception("Only admin cluster user can manage Airflow users list")
    Exception: Only admin cluster user can manage Airflow users list
Option 2: When admin_only_cli_access = true and admin_cli_with_impersonation = false:
  • Only cluster administrator can access ALL Airflow CLI commands.
  • Impersonation is disabled.
Option 3: When admin_only_cli_access = false and admin_cli_with_impersonation = true:
  • Cluster administrator can access ALL Airflow CLI commands.
  • Users with Data Fabric tickets have access only to Airflow Task command.
  • Impersonation is enabled.