Defining RBACs on DAGs

Describes role-based access controls (RBACs) with respect to Airflow in HPE Ezmeral Unified Analytics Software and how to define RBACs to permit access to DAGs.

Role-based access controls (RBACs) are an authorization system based on policies, user roles, and bindings between the roles and policies that protect resources. With the introduction of RBACs, HPE Ezmeral Unified Analytics Software users (admins and members) can grant users access to their DAGs through access controls that they define in the DAG constructors.

Admin Role
The following list describes DAG access for admins and the admin-related tasks that impact user access to DAGs:
  • HPE Ezmeral Unified Analytics Software admins have full access to all Airflow DAGs regardless of the access controls set.
  • Admins can assign a member the admin role in HPE Ezmeral Unified Analytics Software to give the user full access to DAGs; however, this action must occur before the user signs in to the HPE Ezmeral Unified Analytics Software UI and accesses Airflow. See User Roles.
  • If an admin removes a user from HPE Ezmeral Unified Analytics Software, that user's access to Airflow is automatically revoked. Other users can no longer access the DAGs that the removed user shared.
    CAUTION
    HPE only supports user role changes made through the HPE Ezmeral Unified Analytics Software UI. Role changes made in HPE Ezmeral Unified Analytics Software are automatically propagated to Airflow. HPE does not support role changes made directly in Airflow because the changes do not propagate back to HPE Ezmeral Unified Analytics Software, which can cause unexpected system behaviors.
    TIP
    Best practice is to use Git submodules if multiple users have DAGs in their own repositories. To manage multiple users within the same GitHub repository, the HPE Ezmeral Unified Analytics Software platform administrator can create a root GitHub repository and then add all user GitHub repositories as submodules. As owner of the root GitHub repository, the platform administrator can update the Git submodules after users add, remove, or modify files. For example, when a user modifies files, the user can ask the platform administrator to update the latest commit hash of the user's Git submodule in the root repository. For additional information, refer to GitHub - About code owners and Working with submodules.

Member Role
The following list describes DAG access for members:
  • Members can access DAGs:
    • When DAGs do not have any access controls defined.
    • When permitted to do so through access controls (either defined on their username or defined through the All user role).
  • Members can define access controls on the DAGs they create.

Supported Access Controls

The following table lists and describes the access controls that admins and users can define in the DAG constructor, as well as the associated access control values to use when configuring the access controls on a user in the DAG constructor.
Access Control Type Access Control Value Description
Read can_read The specified user can see the source code but cannot launch the DAG.
Edit can_edit The specified user can launch the DAG and add some notes.
Delete can_delete The specified user can delete the DAG; however, DAGs repopulate in the GitHub repository every few seconds.
Define the access controls on a username through the access_control parameter in the DAG constructor, as shown in the following example for user01:
access_control={
		'role_user01': {
			'can_read',
			'can_edit',
			'can_delete'
		}
	}
If you want to grant all users access to a DAG, define access controls on All instead of a specific username, as shown in the following example:
access_control={
		'All': {
			'can_read',
			'can_edit',
			'can_delete'
		}
	}

Defining RBACs on Users

You can define access controls on a user (username) that exists or does not yet exist in HPE Ezmeral Unified Analytics Software. Adding a user to HPE Ezmeral Unified Analytics Software after you define roles on the user (username) in the DAG constructor will not cause any issues between the systems. An HPE Ezmeral Unified Analytics Software admin can add or create the user. See Adding and Removing Users.
IMPORTANT
The DAG must exist in the GitHub repository or a Git submodule that the Airflow instance in HPE Ezmeral Unified Analytics Software points to.
To define access controls on a user in the DAG constructor:
  1. Go to the GitHub repository and add the following access_control parameters and values to the DAG constructor, as shown in the following example:
    }
with DAG{
	dag_id='example_kubernetes_operator',
	dafault_args=default_args,
	schedule_interval=None,
	tags=['example'],
	access_control={
		'role_<username>': {
			'can_read',
			'can_edit',
			'can_delete'
		}
	}
} as dag:
    TIP
    • If you commit a DAG without the access_control annotation, all users (admins and members) can view and access the DAG.
    • Only include the access role(s) that you want the user to have. For example, if you do not want the user to launch the DAG, do not assign the user the can_edit access control.
  2. Commit and push the changes to the DAG.

Viewing Access Controls on Users

HPE Ezmeral Unified Analytics Software admins can go to the Security page in Airflow to view access controls on users. Members cannot access the Security page.

To view access controls on users:

  1. Sign in to HPE Ezmeral Unified Analytics Software.
  2. In the left navigation bar, select Tools and Frameworks.
  3. On the Data Engineering tab, click Open in the Airflow tile.
  4. In Airflow, click the Security tab and select List Roles.