Can I put my entire organization on one instance of Astronomer? Or will I need to run many? How far down does the hierarchy of control go?
Generally speaking, you should only need multiple Astronomer installs if there are issues around networking/accessing data.
Each Astronomer runs in a single Kubernetes (EKS/GKE/AKS) cluster. From that Astronomer, you can launch as many Airflow instances as you need (all on that same cluster),
The first hierarchy are Workspaces, which are equivalent to teams - each team using Airflow generally has their own workspace on Astronomer. There exists any number of Airflow deployments within each workspace (all still on the same k8s cluster), and Astronomer RBAC extends from that workspace into each Airflow deployment.
For now, the hierarchy stops there, a user has the same permissions for every Airflow deployment within that workspace. In the coming months, we’ll extend that RBAC capability to individual airflow deployments, but we don’t have that right now. All alerting and monitoring around jobs is at the airflow level and there is shared alerting around the Astronomer platform infrastructure at the cluster level.
Every instance of Astronomer is standalone, there is no built in communication with any other instance.
Authentication can be handled through AD or your auth system of choice, but all user role management is handled within Astronomer. We’ll have tighter integration in the coming months as well.
You can find some more info here:
https://www.astronomer.io/docs/rbac/
https://www.astronomer.io/docs/ee-integrating-auth-systems/
1 Like