Setup role based authentication and authorization for Airflow UI #102
Comments
|
Status: Tested with 2 different roles but issues with MCP roles. To follow with MCP regarding adding/remove Admin.
|
|
Had a chat with Gabe from MCP, considering temporary users to test with various roles (because we always have the admin role). Need the extra roles to test each situation. Some data persistence issue currently being troubleshooted. |
|
To be discussed with Gabe when Ramesh is back. |
|
Ramesh looks at Cognito authentication as an alternative to solve the issue. That allows to attach specific IAM policies to users which match with their actual authorization. |
|
Tested COgnito integration with the approach proposed with the following Amazon articles. Accessing a private Amazon MWAA environment using federated identities Application load balancer single-sign-on for Amazon MWAA There was a problem related with validating the digital signature of the access token. The documentation says, that issue will not be there, when the lambda zip file is built on a linux system with required cryptography libraries. Regardless of that, it was possible to test the MWAA Role-based access with Cognito users. |
|
If we do not want to use Cognito for Nucleus users, another option available creating AWS accounts for user, create MWAA IAM for those users such as View, Ops, Admin etc. This option is much easier to implement technically, compared to the Cognito option. |
|
@ramesh-maddegoda need to present the architecture to the JPL SA's to validate it for production. |
|
@ramesh-maddegoda provided the architecture proposed to the SAs. |
|
We decided to move forward with the Cognito based authentication. |
💡 Description
At the moment, those who have access to the MCP AWS account can use many functionalities of MWAA. It is required restrict the features based on roles of users.
⚔️ Parent Epic / Related Tickets
No response
The text was updated successfully, but these errors were encountered: