https://github.com/tristanbilot/airflow-rbac-roles-cli
A tool to create Airflow RBAC roles with dag-level permissions from cli.
https://github.com/tristanbilot/airflow-rbac-roles-cli
airflow cloud-composer data-engineering data-science gcp permissions pipeline rbac-roles
Last synced: 8 months ago
JSON representation
A tool to create Airflow RBAC roles with dag-level permissions from cli.
- Host: GitHub
- URL: https://github.com/tristanbilot/airflow-rbac-roles-cli
- Owner: TristanBilot
- Created: 2021-11-02T15:10:34.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-09-07T06:42:02.000Z (almost 3 years ago)
- Last Synced: 2025-09-13T18:13:47.279Z (9 months ago)
- Topics: airflow, cloud-composer, data-engineering, data-science, gcp, permissions, pipeline, rbac-roles
- Language: Python
- Homepage:
- Size: 10.7 KB
- Stars: 13
- Watchers: 2
- Forks: 6
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# airflow-rbac-roles-cli
Airflow provides a way to manage permissions: RBAC. However, this system is only available from UI. Many use cases such as the implementation of an Airflow orchestrator for multiple projects need to take profit of dag-level permissions in order to only authorize some users to access specific project dags. **Creating roles with dag-level permissions on multiple dags directly from the UI is very error-prone and time-consuming.**
That's why I created a script which given the **airflow url**, the **dag names** and the **new role name**, will automatically create the role with the needed permissions to access only these dags and not the other dags deployed on Airflow.
> The tool can be used to create roles for multiple projects inside a same Airflow.
## Usage
```shell
python3 rbac_roles_cli.py -u airflow_url -r new_role_name -d dag1 dag2
```
Will create a role named `new_role_name` on the airflow project at the url `airflow_url` with enough permissions to only manage the dags `dag1` and `dag2`.
Note that the permissions can be edited directly in the code and following the syntax used in the Airflow code.
## Compatibility with Cloud Composer
GCP offers Cloud Composer: a Google-managed Airflow. The script also work with Composer, you only need to add an argument to the command: the Google access-token. This token is used in order to access the Composer page which is protected by a Google authentication page.
```shell
python3 rbac_roles_cli.py -u airflow_url -r new_role_name -d dag1 dag2 -t access_token
```