Considerations for Using Airflow CLI Commands
Describes security considerations for using Airflow CLI commands.
EEP 9.2.2 and higher, and Airflow
2.8.3 has four types of security options related to the use of Airflow CLI commands. In
opt/mapr/airflow/airflow-<version>/conf/airflow.cfg
file, you can set one
of the following four options:
Option 1: This is default option. When
admin_only_cli_access
= false
and admin_cli_with_impersonation = false
:- Only users with Data Fabric tickets can use Airflow CLI commands.
- If a user that has no ticket issues a CLI command, the command line returns an error.
For
example:
$ airflow users create --username mapr1 --firstname mapr1 --lastname mapr1 -p mapr1 --role Admin --email admin3@example.org Traceback (most recent call last): File "/opt/mapr/airflow/airflow-2.6.1/bin/airflow", line 8, in <module> sys.exit(main()) File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/__main__.py", line 45, in main resp = security_client.start("maprsasl")[2] File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/security/maprsasl.py", line 73, in start return True, mechanism, self.get_init_response() File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/security/maprsasl.py", line 55, in get_init_response server_key_bytes = maprsecurity.GetTicketAndKeyForClusterInternal(MAPR_CLUSTER_NAME, 1) SystemError: <built-in function GetTicketAndKeyForClusterInternal> returned NULL without setting an error
- Only the cluster administrator (typically the
mapr
user) can issue commands related to Airflow users. For example, only the cluster admin can issue theairflow users list
command or create theadmin
user role. An exception is generated if a non-cluster-admin user issues a command such asairflow users list
. For example:$ airflow users list Traceback (most recent call last): File "/opt/mapr/airflow/airflow-2.6.1/bin/airflow", line 8, in <module> sys.exit(main()) ......................................................................................................... File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/cli/commands/user_command.py", line 38, in <module> class UserSchema(Schema): File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/cli/commands/user_command.py", line 42, in UserSchema raise Exception("Only admin cluster user can manage Airflow users list") Exception: Only admin cluster user can manage Airflow users list
Option 2: When
admin_only_cli_access = true
and admin_cli_with_impersonation = false
:- Only cluster administrator can access ALL Airflow CLI commands.
- Impersonation is disabled.
Option 3: When
admin_only_cli_access = false
and
admin_cli_with_impersonation = true
:- Cluster administrator can access ALL Airflow CLI commands.
- Users with Data Fabric tickets have access only to Airflow Task command.
- Impersonation is enabled.