Considerations for Using Airflow CLI Commands

Describes security considerations for using Airflow CLI commands.

EEP 9.2.2 and higher, and Airflow 2.8.3 has four types of security options related to the use of Airflow CLI commands. In opt/mapr/airflow/airflow-<version>/conf/airflow.cfgfile, you can set one of the following four options:

Option 1: This is default option. When

admin_only_cli_access
        = false

and admin_cli_with_impersonation = false:

Only users with Data Fabric tickets can use Airflow CLI commands.

If a user that has no ticket issues a CLI command, the command line returns an error. For example:

$ airflow users create --username mapr1 --firstname mapr1 --lastname mapr1 -p mapr1 --role Admin --email admin3@example.org
Traceback (most recent call last):
  File "/opt/mapr/airflow/airflow-2.6.1/bin/airflow", line 8, in <module>
    sys.exit(main())
  File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/__main__.py", line 45, in main
    resp = security_client.start("maprsasl")[2]
  File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/security/maprsasl.py", line 73, in start
    return True, mechanism, self.get_init_response()
  File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/security/maprsasl.py", line 55, in get_init_response
    server_key_bytes = maprsecurity.GetTicketAndKeyForClusterInternal(MAPR_CLUSTER_NAME, 1)
SystemError: <built-in function GetTicketAndKeyForClusterInternal> returned NULL without setting an error

Only the cluster administrator (typically the mapr user) can issue commands related to Airflow users. For example, only the cluster admin can issue the airflow users list command or create the admin user role. An exception is generated if a non-cluster-admin user issues a command such as airflow users list. For example:

$ airflow users list
Traceback (most recent call last):
  File "/opt/mapr/airflow/airflow-2.6.1/bin/airflow", line 8, in <module>
    sys.exit(main())
.........................................................................................................
  File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/cli/commands/user_command.py", line 38, in <module>
    class UserSchema(Schema):
  File "/opt/mapr/airflow/airflow-2.6.1/build/env/lib/python3.9/site-packages/airflow/cli/commands/user_command.py", line 42, in UserSchema
    raise Exception("Only admin cluster user can manage Airflow users list")
Exception: Only admin cluster user can manage Airflow users list

Option 2: When admin_only_cli_access = true and admin_cli_with_impersonation = false:

Only cluster administrator can access ALL Airflow CLI commands.
Impersonation is disabled.

Option 3: When admin_only_cli_access = false and admin_cli_with_impersonation = true:

Cluster administrator can access ALL Airflow CLI commands.
Users with Data Fabric tickets have access only to Airflow Task command.
Impersonation is enabled.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0