or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

api-endpoints.mdauth-backends.mdauth-manager.mdcli-commands.mdindex.mdmodels.md

auth-backends.mddocs/

0
# Authentication Backends
1


2
Multiple authentication methods supporting basic auth, Kerberos, and session-based authentication. These backends integrate with Airflow's API authentication system to provide secure access control.
3


4
## Capabilities
5


6
### Basic Authentication Backend
7


8
HTTP Basic Authentication support for API endpoints.
9


10
```python { .api }
11
def init_app(app) -> None:
12
    """Initialize basic authentication for Flask application."""
13


14
def auth_current_user() -> User | None:
15
    """
16
    Authenticate current user using HTTP Basic Authentication.
17
    
18
    Returns:
19
        User object if authentication successful, None otherwise.
20
    """
21


22
def requires_authentication(function: T) -> T:
23
    """
24
    Decorator that requires basic authentication for the decorated function.
25
    
26
    Args:
27
        function: The function to be decorated.
28
        
29
    Returns:
30
        Decorated function that enforces basic authentication.
31
    """
32
```
33


34
### Kerberos Authentication Backend
35


36
Kerberos/GSSAPI authentication support for enterprise environments.
37


38
```python { .api }
39
class KerberosService:
40
    """Kerberos authentication service configuration."""
41
    
42
    def __init__(self): ...
43


44
class _KerberosAuth(NamedTuple):
45
    """Kerberos authentication result."""
46
    user: User
47
    token: str
48


49
def init_app(app) -> None:
50
    """Initialize Kerberos authentication for Flask application."""
51


52
def find_user(username: str | None = None, email: str | None = None) -> User | None:
53
    """
54
    Find user by username or email for Kerberos authentication.
55
    
56
    Args:
57
        username: Username to search for.
58
        email: Email address to search for.
59
        
60
    Returns:
61
        User object if found, None otherwise.
62
    """
63


64
def requires_authentication(
65
    function: T, 
66
    find_user: Callable[[str], BaseUser] | None = find_user
67
) -> T:
68
    """
69
    Decorator that requires Kerberos authentication for the decorated function.
70
    
71
    Args:
72
        function: The function to be decorated.
73
        find_user: Function to find user by username.
74
        
75
    Returns:
76
        Decorated function that enforces Kerberos authentication.
77
    """
78
```
79


80
### Session Authentication Backend
81


82
Flask session-based authentication for web interface access.
83


84
```python { .api }
85
def init_app(app) -> None:
86
    """Initialize session authentication for Flask application."""
87


88
def requires_authentication(function: T) -> T:
89
    """
90
    Decorator that requires session authentication for the decorated function.
91
    
92
    Args:
93
        function: The function to be decorated.
94
        
95
    Returns:
96
        Decorated function that enforces session authentication.
97
    """
98
```
99


100
## Usage Examples
101


102
### Basic Authentication Setup
103


104
```python
105
from airflow.providers.fab.auth_manager.api.auth.backend import basic_auth
106
from flask import Flask
107


108
app = Flask(__name__)
109


110
# Initialize basic auth backend
111
basic_auth.init_app(app)
112


113
# Use the decorator on API endpoints
114
@basic_auth.requires_authentication
115
def get_dags():
116
    """API endpoint requiring basic authentication."""
117
    user = basic_auth.auth_current_user()
118
    if user:
119
        return {"message": f"Hello {user.username}"}
120
    return {"error": "Authentication failed"}, 401
121
```
122


123
### Kerberos Authentication Setup
124


125
```python
126
from airflow.providers.fab.auth_manager.api.auth.backend import kerberos_auth
127
from flask import Flask
128


129
app = Flask(__name__)
130


131
# Initialize Kerberos auth backend
132
kerberos_auth.init_app(app)
133


134
# Use the decorator on API endpoints
135
@kerberos_auth.requires_authentication
136
def get_secure_data():
137
    """API endpoint requiring Kerberos authentication."""
138
    # User is available in Flask's g object after successful auth
139
    from flask import g
140
    return {"message": f"Authenticated as {g.user.username}"}
141


142
# Custom user lookup
143
def custom_find_user(username):
144
    """Custom user lookup function."""
145
    # Your custom logic to find user
146
    return kerberos_auth.find_user(username=username)
147


148
@kerberos_auth.requires_authentication(find_user=custom_find_user)
149
def custom_endpoint():
150
    """Endpoint with custom user lookup."""
151
    pass
152
```
153


154
### Session Authentication Setup
155


156
```python
157
from airflow.providers.fab.auth_manager.api.auth.backend import session
158
from flask import Flask
159


160
app = Flask(__name__)
161


162
# Initialize session auth backend
163
session.init_app(app)
164


165
# Use the decorator on web endpoints
166
@session.requires_authentication
167
def web_dashboard():
168
    """Web endpoint requiring session authentication."""
169
    # User is available through Flask-Login's current_user
170
    from flask_login import current_user
171
    return f"Welcome {current_user.get_full_name()}"
172
```
173


174
### Configuring Authentication in Airflow
175


176
```python
177
# In airflow.cfg or environment variables
178


179
[api]
180
# For basic auth
181
auth_backend = airflow.providers.fab.auth_manager.api.auth.backend.basic_auth
182


183
# For Kerberos auth  
184
auth_backend = airflow.providers.fab.auth_manager.api.auth.backend.kerberos_auth
185


186
# For session auth
187
auth_backend = airflow.providers.fab.auth_manager.api.auth.backend.session
188
```
189


190
### Custom Authentication Backend
191


192
```python
193
from airflow.providers.fab.auth_manager.api.auth.backend.basic_auth import requires_authentication
194
from airflow.providers.fab.auth_manager.models import User
195


196
def custom_auth_current_user() -> User | None:
197
    """Custom authentication logic."""
198
    # Your custom authentication logic here
199
    # Return User object if authenticated, None otherwise
200
    pass
201


202
# Apply authentication decorator to your endpoints
203
@requires_authentication  
204
def my_api_endpoint():
205
    user = custom_auth_current_user()
206
    if user:
207
        return {"status": "authenticated", "user": user.username}
208
    return {"status": "failed"}, 401
209
```
210


211
### Error Handling
212


213
```python
214
from flask import jsonify
215


216
def handle_auth_error():
217
    """Handle authentication errors."""
218
    return jsonify({
219
        "error": "Authentication required",
220
        "message": "Please provide valid credentials"
221
    }), 401
222


223
def handle_forbidden():
224
    """Handle authorization errors."""
225
    return jsonify({
226
        "error": "Forbidden", 
227
        "message": "Insufficient permissions"
228
    }), 403
229
```
230


231
## Authentication Flow
232


233
### Basic Auth Flow
234
1. Client sends request with `Authorization: Basic <credentials>` header
235
2. Backend decodes and validates credentials against user database
236
3. Returns User object if valid, None if invalid
237
4. Decorator allows/denies access based on result
238


239
### Kerberos Auth Flow  
240
1. Client initiates Kerberos handshake with `Authorization: Negotiate` header
241
2. Backend validates Kerberos token using GSSAPI
242
3. Extracts username from validated token
243
4. Looks up User object using find_user function
244
5. Stores user in Flask's g object for request duration
245


246
### Session Auth Flow
247
1. User logs in through web interface, creating Flask session
248
2. Subsequent requests include session cookie
249
3. Backend validates session and retrieves current_user
250
4. Decorator checks if user is authenticated via Flask-Login
251


252
## Types
253


254
```python { .api }
255
from typing import TypeVar, Callable, NamedTuple, TYPE_CHECKING
256
from airflow.auth.managers.models.base_user import BaseUser
257
from airflow.providers.fab.auth_manager.models import User
258


259
T = TypeVar("T", bound=Callable)
260


261
if TYPE_CHECKING:
262
    from flask import Flask
263
```
264


265
## Configuration Options
266


267
### Kerberos Configuration
268


269
```python
270
# Kerberos-specific configuration
271
KERBEROS_SERVICE_NAME = "HTTP"  # Service name for Kerberos
272
KERBEROS_HOSTNAME = None        # Hostname for Kerberos (None = auto-detect)
273
```
274


275
### Basic Auth Configuration
276


277
```python  
278
# No specific configuration required
279
# Uses standard HTTP Basic Authentication headers
280
```
281


282
### Session Configuration
283


284
```python
285
# Uses Flask-Login session management
286
# Configured through Flask application settings
287
SECRET_KEY = "your-secret-key"  # Required for session encryption
288
SESSION_COOKIE_SECURE = True   # HTTPS only cookies
289
SESSION_COOKIE_HTTPONLY = True # No JavaScript access
290
```