14 Securing Airflow


This chapter covers:

  • Examining and configuring the RBAC interface for controlling access
  • Granting access to a central set of users by connecting with an LDAP service
  • Configuring a Fernet key to encrypt secrets in the database
  • Securing traffic between your browser and the webserver
  • Fetching secrets from a central secret management systems

Airflow, by default, is open to the world. That means anybody who knows Airflow’s address can connect and operate without limitations. This can be particularly threatening when the machine you’re running Airflow on is accessible via the internet. This situation is not uncommon when working in the cloud, where a machine can be made accessible to the world with a single tick.

To avoid unwanted access, we discuss the security of Airflow in this chapter. We cover various security-related use cases and elaborate on these with practical examples. Security is often deemed a topic of black magic, with a wide plethora of technologies, abbreviations, and intricate details to know. While this is not untrue, we wrote this chapter for a reader with little security knowledge in mind, and hence demonstrate various highlights to avoid unwanted actions on your Airflow installation, which should serve as a starting point.


Airflow 1.* comes with two interfaces:

1. The “original” interface, developed on top of Flask-Admin

2. The “RBAC” interface, developed on top of Flask-AppBuilder (FAB)

14.1  Introducing the RBAC interface

14.1.1    Adding users to the RBAC interface

14.1.2   Configuring the RBAC interface

14.2  Encrypting data at rest

14.2.1    Creating a Fernet key

14.3  Connecting with an LDAP service

14.3.1  Understanding LDAP

14.3.2    Fetching users from an LDAP service

14.4   Encrypting traffic to the webserver

14.4.1    Understanding HTTPS

4.4.2    Configuring a certificate for HTTPS

14.5  Fetching credentials from secret management systems

14.6  Summary