Split out Authorization from Authentication #65111
Unanswered
stephen-bracken
asked this question in
General
Replies: 1 comment 1 reply
-
|
I think an AIP describing how to do it would be a good idea - converting to a discussion. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals?src=spaceshortcut |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
The airflow auth manager is responsible for both authentication and authorization of the user. By splitting the authentication component out into a separate module, authorization could be done by a separate provider, e.g. using fab to provide authentication via OIDC and then using keycloak to provide authorization
Use case/motivation
The casbin authorization library is a powerful policy engine, but does not support authentication. It expects users to already have their identity authenticated, and then provides those users with roles based on the policy. A good fit for the airflow security model would be the RBAC with domains model. However Casbin alone would not provide enough functionality to create an auth manager, so another library would be required to perform authorization. Therefore if a 'casbin' provider were to be created, it would not actually be using casbin for the authentication, but rather would need some other functionality added from a different library. For example you could use fab to authenticate the user and then use a casbin model to provide authorization.
Related issues
No response
Are you willing to submit a PR?
Code of Conduct
Beta Was this translation helpful? Give feedback.
All reactions