Airflow Web Password Configuration

[nava-datavid]

Official Helm Chart version

1.18.0 (latest released)

Apache Airflow version

3.0.2

Kubernetes Version

1.31

Helm Chart configuration

No response

Docker Image customizations

No response

What happened

the web server password is getting generated every time i deploy airflow chart. Is there a way i can statically provide the password for web?

The admin password is printed in the log and stored in a text file /opt/airflow/simple_auth_manager_passwords.json.generated , even i tried mounting the file as secret but i'm getting permission denied error

Earlier in version 2.8+, airflow users command was present and job was sufficent to create the user. In 3.0.x i' not sure how this can be managed.

What you think should happen instead

No response

How to reproduce

Just deploy the chart with simple auth enabled.

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[nava-datavid]

sorry the version of helm chart is 1.19.0-dev

[prakass1]

Maybe you meant the airflow UI username and password being generated every time you spin up helm chart. If you are deploying the helm chart and would like to keep the password constant, you can do the following:

One of the option that can be done is to override the values.yaml with custom setting for the following under webserver section:
override.yaml

webserver:
  # Create initial user.
  defaultUser:
    enabled: true
    role: Admin
    username: admin
    email: admin@example.com
    firstName: admin
    lastName: user
    password: test123! # You can provide this to be coming externally part of your pipeline from some secrets

Then you would deploy helm chart with helm install airflow apache-airflow/airflow -f override.yaml --namespace <your_ns> This then will take the password you specify. Note that, if you are using postgres container part of the helm chart then remove the persistence volume and claim and retry.

For a production setup, you can get the value for the secret from some service like AWS Secrets Manager, populate it to the override.yaml part of the deployment.

[prakass1]

Currently, the defaultUser is under webserver. However, I think that it would be better to move this section out from webserver in the values.yaml in general. This way, the deaultUser would then not be required to be tied to webserver component.

The impact of this would be to values.schema.json, values.yaml, and create-user-job.

@jedcunningham @potiuk what do you think about it?

[nava-datavid]

your suggestion works well with old charts (airflow version < 3.X.X , but in the latest airflow airflow users create command is not there

createUserJob:
  # Limit the lifetime of the job object after it finished execution.
  ttlSecondsAfterFinished: 300
  # Command to use when running the create user job (templated).
  command: ~
  # Args to use when running the create user job (templated).
  args:
    - "bash"
    - "-c"
    # The format below is necessary to get `helm lint` happy
    - |-
      exec \
      airflow {{ semverCompare ">=2.0.0" .Values.airflowVersion | ternary "users create" "create_user" }} "$@"
    - --
    - "-r"
    - "{{ .Values.webserver.defaultUser.role }}"
    - "-u"
    - "{{ .Values.webserver.defaultUser.username }}"
    - "-e"
    - "{{ .Values.webserver.defaultUser.email }}"
    - "-f"
    - "{{ .Values.webserver.defaultUser.firstName }}"
    - "-l"
    - "{{ .Values.webserver.defaultUser.lastName }}"
    - "-p"
    - "{{ .Values.webserver.defaultUser.password }}"

the job which creates the default user will not work

airflow cli has no more users option

airflow@rover-airflow-webserver-5fc9fb7964-25x6b:/opt/airflow$ airflow
Usage: airflow [-h] GROUP_OR_COMMAND ...

Positional Arguments:
  GROUP_OR_COMMAND

    Groups
      assets            Manage assets
      backfill          Manage backfills
      celery            Celery components
      config            View configuration
      connections       Manage connections
      dags              Manage DAGs
      db                Database operations
      jobs              Manage jobs
      pools             Manage pools
      providers         Display providers
      tasks             Manage tasks
      variables         Manage variables

    Commands:
      api-server        Start an Airflow API server instance
      cheat-sheet       Display cheat sheet
      dag-processor     Start a dag processor instance
      info              Show information about current Airflow and environment
      kerberos          Start a kerberos ticket renewer
      plugins           Dump information about loaded plugins
      rotate-fernet-key
                        Rotate encrypted connection credentials and variables
      scheduler         Start a scheduler instance
      standalone        Run an all-in-one copy of Airflow
      triggerer         Start a triggerer instance
      version           Show the version

[prakass1]

I am using helm chart 1.18.0, which has airflow image version 3.0.2, and that works all fine for me. This is the stable released version.

[potiuk]

airflow cli has no more users option

Because you are using SimpleAuthManager by default. That was a change in Airflow 3 clearly documented in changelog. If you want to use FABAuthManager and "create users" command you need to configure FABAuthManager as auth manager you use.

The admin password is printed in the log and stored in a text file /opt/airflow/simple_auth_manager_passwords.json.generated , even i tried mounting the file as secret but i'm getting permission denied error

Correct - that is the change in Airlfow 3 with SimpleAuthManager being default (yet only useful for development and testing). If you wish to use "production" ready Auth Manager - you can switch to FabAuthManager (to preserve Airflow 2 compatibility of users management) and in Airflow 3.1 you will also be able to also use KeyCloakAuthManager which will allow to delegate RBAC control out to KeyCloak where you will be able to map your "enterprise" users to Airflow users and their permissions.

Nothing extraordinary here. Everything communicated and described in Airflow 3 Release Notes including links to appropriate documentation.

Yes. It's a change vs default Airflow 2 behaviour and you have no other choice but to adapt.

[potiuk]

Converted to discussion if more discussion is needed.

[prakass1]

On another note, do you think considering #54094 (comment) would be beneficial to not tie up defaultUser with webserver ?