chapter thirteen

13 Securing Airflow

 

This chapter covers:

  • Examining and configuring the RBAC interface for controlling access
  • Granting access to a central set of users by connecting with an LDAP service
  • Configuring a Fernet key to encrypt secrets in the database
  • Securing traffic between your browser and the webserver
  • Fetching secrets from a central secret management system

Given the nature of Airflow, a spider in the web orchestrating series of tasks, it must connect with many systems and is therefore a desirable target to gain access to. To avoid unwanted access, we discuss the security of Airflow in this chapter. We cover various security-related use cases and elaborate on these with practical examples. Security is often deemed a topic of black magic, with a wide plethora of technologies, abbreviations, and intricate details to know. While this is not untrue, we wrote this chapter for a reader with little security knowledge in mind, and hence highlight various key points to avoid unwanted actions on your Airflow installation, which should serve as a starting point.

NOTE Airflow 1.* comes with two interfaces:

  1. The “original” interface, developed on top of Flask-Admin
  2. The “RBAC” interface, developed on top of Flask-AppBuilder (FAB)

13.1  Securing the Airflow web interface

13.1.1    Adding users to the RBAC interface

13.1.2    Configuring the RBAC interface

13.2  Encrypting data at rest

13.2.1    Creating a Fernet key

13.3  Connecting with an LDAP service

13.3.1    Understanding LDAP

13.3.2    Fetching users from an LDAP service

13.4  Encrypting traffic to the webserver

13.4.1    Understanding HTTPS

13.4.2    Configuring a certificate for HTTPS

13.5  Fetching credentials from secret management systems

13.6  Summary