How do I use Airflow RBAC with Astronomer?

I want to implement some sort of role based auth system

Astronomer v0.7 has beta support for Airflow’s RBAC.

Please note it is not directly supported at our API level yet.

1. Upgrade your local docker image to Airflow 1.10.1 with RBAC enabled.

You can use this as an example:

FROM astronomerinc/ap-airflow:0.7.5-1.10.1-onbuild

ENV AIRFLOW__WEBSERVER__RBAC=true
ENV AIRFLOW__WEBSERVER__AUTHENTICATE=true

2. Run astro airflow start

3. Jump into the docker container and create an Airflow user:

virajparekh@orbiter:~$ docker ps
CONTAINER ID        IMAGE                      COMMAND                  CREATED             STATUS              PORTS                                        NAMES
eb4e38f1f7c3        rbac-test/airflow:latest   "tini -- /entrypoint…"   41 minutes ago      Up 41 minutes       5555/tcp, 8793/tcp, 0.0.0.0:8080->8080/tcp   rbactest_webserver_1
a8ba9a9c6761        postgres:10.1-alpine       "docker-entrypoint.s…"   About an hour ago   Up 41 minutes       0.0.0.0:5432->5432/tcp                       rbactest_postgres_1
e12e1b8932c4        rbac-test/airflow:latest   "tini -- /entrypoint…"   2 days ago          Up 41 minutes       5555/tcp, 8080/tcp, 8793/tcp                 rbactest_scheduler_1
virajparekh@orbiter:~$ docker exec -it rbactest_webserver_1 bash

airflow initdb
airflow create_user -r Admin -u admin -e admin@example.com -f admin -l user -p test

4. Confirm that this worked as expected by running astro airflow stop and astro airflow start

5. In your Astronomer UI, scale the webserver to 5 or more AUs (the RBAC webserver is significantly more resource intensive) and save those settings.

6. Once your webserver is visible again, push your code (astro airflow deploy) with the updated Dockerfile

7. Using kubectl, jump into your deployment’s scheduler:

kubectl get pods
NAME                                             READY     STATUS    RESTARTS   AGE
glowing-cosmic-7269-flower-558c79b868-2lbhv      1/1       Running   0          1h
glowing-cosmic-7269-pgbouncer-84d55bfd7c-7jdlg   2/2       Running   0          40m
glowing-cosmic-7269-redis-0                      1/1       Running   0          1h
glowing-cosmic-7269-scheduler-68585d99bb-279g4   1/1       Running   0          40m
glowing-cosmic-7269-statsd-7d79654479-r6nlk      1/1       Running   0          1h
glowing-cosmic-7269-webserver-c68fb8d74-s4dh9    1/1       Running   2          40m
glowing-cosmic-7269-worker-0                     2/2       Running   0          40m


kubectl exec -it glowing-cosmic-7269-scheduler-68585d99bb-279g4 /bin/bash

8. Initialize the user and the database.
   Once inside, run:

airflow initdb
airflow create_user -r Admin -u admin -e admin@example.com -f admin -l user -p test

This will create the admin user.

9. Wait

Give your instance a few minutes to pick up the new config and you should be able to use the RBAC UI:

image.png2430×610 41.8 KB

image.png1297×450 24.3 KB

Note: The default /admin page won’t work anymore, navigate to /home.