tessl/pypi-apache-airflow-fab-security
Flask-AppBuilder (FAB) security integration component within Apache Airflow core, providing authentication, authorization, and security management features
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-apache-airflow-fab-security@2.8.0index.mddocs/
Apache Airflow FAB Security
Flask-AppBuilder (FAB) security integration component within Apache Airflow core, providing authentication, authorization, and security management features. This component implements comprehensive security infrastructure including user management, role-based access control, permission management, and multiple authentication backends.
Package Information
- Package Name: apache-airflow (fab_security module)
- Language: Python
- Installation: Included as part of Apache Airflow (
pip install apache-airflow) - Version: 2.8.0
Core Imports
from airflow.www.fab_security.sqla.manager import SecurityManager
from airflow.www.fab_security.sqla.models import User, Role, Permission, Action, ResourceCommon view imports:
from airflow.www.fab_security.views import (
CustomUserDBModelView,
CustomRoleModelView,
ActionModelView,
ResourceModelView
)Basic Usage
from airflow.www.fab_security.sqla.manager import SecurityManager
from airflow.www.fab_security.sqla.models import User, Role
from flask_appbuilder import AppBuilder
# Initialize security manager
app_builder = AppBuilder(app)
security_manager = SecurityManager(app_builder)
# Create a new user
user = security_manager.add_user(
username="john_doe",
first_name="John",
last_name="Doe",
email="john@example.com",
role=security_manager.find_role("User"),
password="secure_password"
)
# Create a role
admin_role = security_manager.add_role("CustomAdmin")
# Create permissions
permission = security_manager.create_permission("can_read", "Users")
security_manager.add_permission_to_role(admin_role, permission)
# Authenticate user
authenticated_user = security_manager.auth_user_db("john_doe", "secure_password")Architecture
The FAB security component follows a layered architecture:
- Security Manager: Central hub for authentication, authorization, and user management
- Models: SQLAlchemy models representing users, roles, permissions, actions, and resources
- Views: Flask-AppBuilder views for web interface integration
- Authentication Backends: Support for DB, LDAP, OAuth, OpenID, and Remote User authentication
This design enables flexible security configuration while maintaining compatibility with Flask-AppBuilder's security model and Airflow's specific requirements.
Capabilities
Security Management
Core security management functionality including user authentication, authorization checks, permission validation, and session management. Provides the foundation for all security operations.
class BaseSecurityManager:
def auth_user_db(self, username: str, password: str) -> User | None: ...
def auth_user_ldap(self, username: str, password: str) -> User | None: ...
def auth_user_oauth(self, userinfo: dict) -> User | None: ...
def auth_user_oid(self, email: str) -> User | None: ...
def auth_user_remote_user(self, username: str) -> User | None: ...
def reset_password(self, userid: int, password: str) -> bool: ...
def update_user_auth_stat(self, user: User, success: bool = True) -> None: ...User Management
Comprehensive user lifecycle management including creation, updates, deletion, and user queries. Handles user authentication statistics and profile management.
def add_user(self, username: str, first_name: str, last_name: str, email: str, role: Role | list[Role], password: str = "") -> User | None: ...
def update_user(self, user: User) -> bool: ...
def find_user(self, username: str = None, email: str = None) -> User | None: ...
def get_user_by_id(self, pk: int) -> User: ...
def get_all_users(self) -> list[User]: ...
def count_users(self) -> int: ...Role and Permission Management
Role-based access control with granular permission management. Supports creating roles, assigning permissions, and managing access control for resources and actions.
def add_role(self, name: str) -> Role | None: ...
def find_role(self, name: str) -> Role | None: ...
def create_permission(self, action_name: str, resource_name: str) -> Permission | None: ...
def add_permission_to_role(self, role: Role, permission: Permission) -> None: ...
def remove_permission_from_role(self, role: Role, permission: Permission) -> None: ...Role and Permission Management
Data Models
SQLAlchemy models representing the security schema including users, roles, permissions, actions, resources, and their relationships. Provides the data layer for security operations.
class User(Model):
id: int
username: str
email: str
first_name: str
last_name: str
password: str
active: bool
last_login: datetime
login_count: int
fail_login_count: int
roles: list[Role]
created_on: datetime
changed_on: datetime
created_by_fk: int
changed_by_fk: intWeb Views
Flask-AppBuilder view classes for web interface integration, providing customized security views that integrate with Airflow's permission model and web interface.
class CustomUserDBModelView(MultiResourceUserMixin, UserDBModelView): ...
class CustomRoleModelView(RoleModelView): ...
class ActionModelView(PermissionModelView): ...
class ResourceModelView(ViewMenuModelView): ...Authentication Backends
Multiple authentication backend support including database, LDAP, OAuth, OpenID, and remote user authentication with configurable options and provider-specific implementations.
def auth_user_db(self, username: str, password: str) -> User | None: ...
def auth_user_ldap(self, username: str, password: str) -> User | None: ...
def auth_user_oauth(self, userinfo: dict) -> User | None: ...
def auth_user_oid(self, email: str) -> User | None: ...
def auth_user_remote_user(self, username: str) -> User | None: ...Authentication Methods
The component supports multiple authentication types:
from flask_appbuilder.const import (
AUTH_DB,
AUTH_LDAP,
AUTH_OAUTH,
AUTH_OID,
AUTH_REMOTE_USER
)- AUTH_DB: Database-based username/password authentication
- AUTH_LDAP: LDAP/Active Directory integration
- AUTH_OAUTH: OAuth 2.0 providers (Google, GitHub, Azure, etc.)
- AUTH_OID: OpenID authentication
- AUTH_REMOTE_USER: Remote user authentication (e.g., from web server)
Configuration Properties
Key configuration properties for security behavior:
auth_type: Authentication backend typeauth_role_admin: Administrator role nameauth_role_public: Public/anonymous role nameauth_user_registration: Enable user self-registrationauth_roles_mapping: Map external roles to internal rolesauth_username_ci: Case-insensitive username matching
Error Handling
The component provides comprehensive error handling with logging and graceful degradation for authentication failures, database errors, and configuration issues.