14 Securing Airflow
This chapter covers:
- Examining and configuring the RBAC interface for controlling access
- Granting access to a central set of users by connecting with an LDAP service
- Configuring a Fernet key to encrypt secrets in the database
- Securing traffic between your browser and the webserver
- Fetching secrets from a central secret management systems
Airflow, by default, is open to the world. That means anybody who knows Airflow’s address can connect and operate without limitations. This can be particularly threatening when the machine you’re running Airflow on is accessible via the internet. This situation is not uncommon when working in the cloud, where a machine can be made accessible to the world with a single tick.
To avoid unwanted access, we discuss the security of Airflow in this chapter. We cover various security-related use cases and elaborate on these with practical examples. Security is often deemed a topic of black magic, with a wide plethora of technologies, abbreviations, and intricate details to know. While this is not untrue, we wrote this chapter for a reader with little security knowledge in mind, and hence demonstrate various highlights to avoid unwanted actions on your Airflow installation, which should serve as a starting point.
Airflow 1.* comes with two interfaces:
1. The “original” interface, developed on top of Flask-Admin
2. The “RBAC” interface, developed on top of Flask-AppBuilder (FAB)