Apache Airflow FAB Provider

3.6.0 · active · verified Sun Mar 29

The Apache Airflow FAB (Flask AppBuilder) Provider package integrates Flask-AppBuilder functionalities into Apache Airflow, primarily enhancing its User Interface (UI) and Role-Based Access Control (RBAC) capabilities. It is an actively maintained provider, with the current version being 3.6.0. New versions are released independently of core Airflow, following a strict SemVer policy, and can introduce database migrations.

Warnings

breaking Version incompatibility: `apache-airflow-providers-fab >= 2.0` is only compatible with Apache Airflow 3.x. If you are using Airflow 2.x, you must use `apache-airflow-providers-fab 1.x`.
Fix: For Airflow 2.x, downgrade to `apache-airflow-providers-fab==1.*`. For Airflow 3.x, ensure you use `apache-airflow-providers-fab >= 2.0`.
breaking Removed methods and properties: `is_authorized_dataset` was removed from `FabAuthManager`; use `is_authorized_asset` instead. `oauth_whitelists` property was removed; use `oauth_allow_list` instead. The authentication type `AUTH_OID` was also removed.
Fix: Update custom security manager implementations to use the new method/property names: `is_authorized_asset` and `oauth_allow_list`. Avoid using `AUTH_OID`.
gotcha Database migrations: Newer versions of the FAB provider can contain database schema changes. After upgrading the provider, you must run `airflow fab-db migrate` to apply these changes.
Fix: Always run `airflow fab-db migrate` after upgrading the `apache-airflow-providers-fab` package. If `FABDBManager` is configured in `[core] external_db_managers`, migrations might run automatically with `airflow db migrate`.
deprecated Deprecated configurations and Kerberos authentication removed. Various deprecated classes, parameters, and features have been removed from the provider package.
Fix: Review the changelog for specific removals and update your Airflow configurations (`airflow.cfg`) and custom code to use supported alternatives.
gotcha Insufficient Session Expiration vulnerability in older versions: When a user password was changed via the admin CLI, existing sessions for that user were not cleared, leading to prolonged access.
Fix: Upgrade to `apache-airflow-providers-fab >= 1.5.2` to resolve this vulnerability. (Note: Current version 3.6.0 is not affected).
gotcha Configuration for authentication: For most supported authentication options, the new `auth_manager` framework configured in `airflow.cfg` is preferred. `webserver_config.py` is still used for more advanced options like Single Sign-On (SSO) with OAuth.
Fix: Prioritize `airflow.cfg` for standard authentication configurations. Use `webserver_config.py` only when advanced customization or SSO integrations are necessary.

Install

pip install apache-airflow-providers-fab Install latest version

Imports

FabAirflowSecurityManagerOverride
```
from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
```
Commonly imported for customizing Airflow's security manager using Flask AppBuilder.

Quickstart

This provider primarily extends Airflow's UI and RBAC. A common interaction is through Airflow's CLI for user management, which leverages the Flask AppBuilder backend provided by this package. For advanced authentication methods like OAuth/SSO, customization of `webserver_config.py` is required.

# This provider enhances Airflow's UI/RBAC; direct code interaction is mostly via Airflow CLI or configuration.
# Ensure Airflow is running with this provider installed.
# Example: Creating a user via Airflow CLI (which uses the FAB backend):
# Make sure to run this command in your Airflow environment where `apache-airflow-providers-fab` is installed.
# Replace sensitive details with environment variables in a production setup.

import os

# Example of setting up environment variables for a new user
# In a real scenario, you'd execute this via command line or a script,
# not directly in a Python quickstart meant for direct execution.
# For demonstration, assume these are set or replaced by actual values.
admin_username = os.environ.get('AIRFLOW_ADMIN_USERNAME', 'admin')
admin_firstname = os.environ.get('AIRFLOW_ADMIN_FIRSTNAME', 'Airflow')
admin_lastname = os.environ.get('AIRFLOW_ADMIN_LASTNAME', 'User')
admin_role = os.environ.get('AIRFLOW_ADMIN_ROLE', 'Admin')
admin_email = os.environ.get('AIRFLOW_ADMIN_EMAIL', 'admin@example.com')
admin_password = os.environ.get('AIRFLOW_ADMIN_PASSWORD', 'supersecretpassword')

# This command would typically be run in your shell:
# airflow users create \
#     -u "${AIRFLOW_ADMIN_USERNAME}" \
#     -f "${AIRFLOW_ADMIN_FIRSTNAME}" \
#     -l "${AIRFLOW_ADMIN_LASTNAME}" \
#     -r "${AIRFLOW_ADMIN_ROLE}" \
#     -e "${AIRFLOW_ADMIN_EMAIL}" \
#     -p "${AIRFLOW_ADMIN_PASSWORD}"

print(f"To create an Airflow user via CLI (using FAB provider's backend), run:\n")
print(f"airflow users create -u {admin_username} -f {admin_firstname} -l {admin_lastname} -r {admin_role} -e {admin_email} -p {admin_password}")
print(f"\nFor advanced authentication (e.g., OAuth), configure `webserver_config.py` as described in Airflow documentation.")

view raw JSON →