git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Connection Management in Multi-tenancy Scenario


Given the REST API is upcoming, and the DAG-level access control is in
progress as well, maybe let’s revisit this Connection Management topic
later when these “infrastructure” is fully ready.

XD

On Wed, Sep 19, 2018 at 23:21 Maxime Beauchemin <maximebeauchemin@xxxxxxxxx>
wrote:

> Another clear solution is for connection management to go through the
> [upcoming] REST API we've been talking about. Then of course we'll need one
> permission per connection and a "all_connections" perm that can be added to
> roles (much like DAGs but for connections).
>
> Max
>
> On Wed, Sep 19, 2018 at 7:25 AM Ash Berlin-Taylor <ash@xxxxxxxxxx> wrote:
>
> > You are correct that currently all DAGs can access all connections and
> > variables.
> >
> > The other thing to bear in mind: currently PythonOperators have an active
> > connection to the metadata DB where connections are stored, so at best
> this
> > is "co-operative" security, to prevent one team from accessing another
> > team's connections, and not a hard barrier against an even mildly
> > determined attacker.
> >
> > As for the implementation of it: it would be worth looking to see if we
> > can use the Permissions model built in to FAB (Flask App Builder) that we
> > are using in the RBAC-based UI. This would allow for much more granular
> > permissions, and provides a pre-existing management UI for it to.
> >
> > I don't know if this would make the work dependent on the (in progress?)
> > DAG-level access controls.
> >
> > -ash
> >
> > > On 19 Sep 2018, at 15:00, Deng Xiaodong <xd.deng.r@xxxxxxxxx> wrote:
> > >
> > > Hi folks,
> > >
> > > Thinking of a scenario: I may have multiple users in the same Airflow
> > > instance. I can use filter_by_owner feature so that each user can only
> > see
> > > their own DAGs. But what if their DAGs are using different data
> sources,
> > > say owner A is using mysql_conn_a, and owner B is using mysql_conn_b,
> and
> > > we don't want to allow them to access each other's database?
> > >
> > > Seems like all DAG (no matter who is the owner) can access all defined
> > > connections? or have I missed something?
> > >
> > > If my suspicion is making sense, I think it would be necessary to have
> > > values "*if_protect*" and "*owner*" for each connection. When
> > "if_protect"
> > > == True, only DAGs whose owner == "owner" would be able to use this
> > > connection. I would like to take this up to prepare a PR.
> > >
> > > Thanks.
> > >
> > > XD
> >
> >
>