DEV Community: Guillaume Renaudin The latest articles on DEV Community by Guillaume Renaudin (@rguillome). https://dev.to/rguillome https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F266187%2F725c8af9-6578-4cd0-97e5-697070a42244.png DEV Community: Guillaume Renaudin https://dev.to/rguillome en Multi-tenant in Airflow is almost there Guillaume Renaudin Mon, 17 Mar 2025 08:44:39 +0000 https://dev.to/zenika/multi-tenant-in-airflow-is-almost-there-1fdp https://dev.to/zenika/multi-tenant-in-airflow-is-almost-there-1fdp <p><em>Photo of Oksana Lyniv by Oliver Wolf pic (<a href="https://creativecommons.org/licenses/by/4.0/" rel="noopener noreferrer">License CC BY 4.0</a>)</em></p> <p>When considering <em>multi-tenancy</em>, it is often associated with SaaS applications. However, most of my clients do not seem to be involved because they typically address internal needs.</p> <p>But these days, a new paradigm is rising. It's called <strong>Platform Engineering</strong>. And it doesn't target only operational software but also data related products. <br> We need to develop accessible data tools for corporate end users, sush as dashboards and ETL services.</p> <p>Therefore, providing Airflow with multi-tenant capabilities is essential.</p> <p>Nearly four years ago, someone questioned the community on Stack Overflow <a href="https://stackoverflow.com/a/68621317" rel="noopener noreferrer">about how to provide a multi-team feature with Airflow</a>. Jarek Potiuk, a main Airflow contributor, provided a very comprehensive <a href="https://stackoverflow.com/a/68621317" rel="noopener noreferrer">answer</a>. In summary, he explained that Airflow did not yey provide a multi-tenancy feature. He went further adding that, even if in the next months this could be designed and implemented in <strong>Airflow 3</strong>, from it side, the multi-tenancy should be still adressed with <strong>multiple Airflow instances</strong> in some context where isolation is a must have.</p> <p>Finally, <a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=89066609" rel="noopener noreferrer">AIP-1</a>, an <strong>A</strong>irflow <strong>I</strong>mprovement <strong>P</strong>roposal, aimed to enhance the Airflow security in all the dag lifecycle (from submission to execution), starts feeding the discussion of the multi-tenancy design.</p> <p>The <a href="https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-43+DAG+Processor+separation" rel="noopener noreferrer">AIP-43</a> and <a href="https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-44+Airflow+Internal+API" rel="noopener noreferrer">AIP-44</a> provided an initial solution to implement this feature as early as Airflow 2. 🤩</p> <p>⚠️ As described in the <a href="https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-44+Airflow+Internal+API" rel="noopener noreferrer">AIP-44</a>, the Airflow 2 changes are <em>experimental</em> and they already provide a PR to remove these changes for the AF 3 version. You need to run at least Airflow version 2.10.4.</p> <p>Of course the previously mentioned AIPs do not provide a complete multi-tenant feature because it's missing the ressources (like variables and connection) isolation between tasks. This is one of the goals of the <a href="https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-72+Task+Execution+Interface+aka+Task+SDK" rel="noopener noreferrer">AIP-72</a>, which will only be implemented with Airflow 3.</p> <p>With Airflow 2, the only isolation that can be proposed is with team-worker-specific instance and so with worker specific configuration (Environment variables or local files).</p> <p>The next part is a demonstration of how to apply configuration in Airflow 2 to isolate DAG code between teams in a company and how to make sure that a team A can't access ressources (machines, databases, file shares, etc.) owned by another team.</p> <h2> How-to Implement Sort of Multi-Tenancy with Airflow 2 </h2> <p>In the next steps, we will: </p> <ol> <li>Configure Airflow to load dags from team dedicated directories</li> <li>Give each user permission to see only dags related to its team</li> <li>Attach one worker to a team. Shares rights and network specific policies are team specific</li> </ol> <p>All the steps start from the <a href="https://airflow.apache.org/docs/apache-airflow/stable/howto/docker-compose/index.html#running-airflow-in-docker" rel="noopener noreferrer">Airflow Docker installation</a>. Previously you must, follow all the installation steps before going through the next instruction.<br> ‼️ Stop just before runnint <code>docker compose up</code> at the <a href="https://airflow.apache.org/docs/apache-airflow/stable/howto/docker-compose/index.html#running-airflow" rel="noopener noreferrer">Running Airflow paragraph</a>.</p> <h3> Step 1: Split DagProcessor for Scheduler </h3> <p>According to the <a href="https://airflow.apache.org/docs/apache-airflow/stable/authoring-and-scheduling/dagfile-processing.html" rel="noopener noreferrer">documentation</a>, set the environment variable <code>AIRFLOW__SCHEDULER__STANDALONE_DAG_PROCESSOR</code> to <code>True</code>.<br> So in the <code>docker-compose.yaml</code> file, add a new line :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code> _PIP_ADDITIONAL_REQUIREMENTS: ${_PIP_ADDITIONAL_REQUIREMENTS:-} # The following line can be used to set a custom config file, stored in the local config folder # If you want to use it, outcomment it and replace airflow.cfg with the name of your config file # AIRFLOW_CONFIG: '/opt/airflow/config/airflow.cfg' + AIRFLOW__SCHEDULER__STANDALONE_DAG_PROCESSOR: "true" AIRFLOW__WEBSERVER__EXPOSE_CONFIG: "true" AIRFLOW__LOGGING__DAG_PROCESSOR_LOG_LEVEL: "DEBUG" AIRFLOW__LOGGING__LOGGING_LEVEL: "INFO" </code></pre> </div> <h3> Step 2: Define a Dag Processor for Each Team </h3> <p>We will assume that we have two teams : <strong>team1</strong> and <strong>team2</strong> and each of them will have a dedicated directory under <code>/opt/airflow/dags</code>, which is the default dags folder.</p> <p>Here are two new services, one for each processor in the <code>docker-compose.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">airflow-dag-processor-team1</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common</span> <span class="na">command</span><span class="pi">:</span> <span class="s">dag-processor --subdir /opt/airflow/dags/team1/</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">curl"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--fail"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:8974/health"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common-depends-on</span> <span class="na">airflow-init</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> <span class="na">airflow-dag-processor-team2</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common</span> <span class="na">command</span><span class="pi">:</span> <span class="s">dag-processor --subdir /opt/airflow/dags/team2/</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">curl"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--fail"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:8974/health"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common-depends-on</span> <span class="na">airflow-init</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> </code></pre> </div> <p>As you can see, the command is <code>dag-processor</code> followed by the <code>subdir</code> argument and its value, the path to the team's DAGs directory.</p> <h3> Step 3: Configure a Worker for Each Team </h3> <p>By replacing the default worker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">airflow-worker</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common</span> <span class="na">command</span><span class="pi">:</span> <span class="s">celery worker</span> <span class="pi">[</span><span class="nv">...</span><span class="pi">]</span> </code></pre> </div> <p>With :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">airflow-worker-team1</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common</span> <span class="na">command</span><span class="pi">:</span> <span class="s">celery worker -q team1</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="c1"># yamllint disable rule:line-length</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">CMD-SHELL"</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">celery</span><span class="nv"> </span><span class="s">--app</span><span class="nv"> </span><span class="s">airflow.providers.celery.executors.celery_executor.app</span><span class="nv"> </span><span class="s">inspect</span><span class="nv"> </span><span class="s">ping</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">"celery@$${HOSTNAME}"</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">celery</span><span class="nv"> </span><span class="s">--app</span><span class="nv"> </span><span class="s">airflow.executors.celery_executor.app</span><span class="nv"> </span><span class="s">inspect</span><span class="nv"> </span><span class="s">ping</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">"celery@$${HOSTNAME}"'</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common-env</span> <span class="c1"># Required to handle warm shutdown of the celery workers properly</span> <span class="c1"># See https://airflow.apache.org/docs/docker-stack/entrypoint.html#signal-propagation</span> <span class="na">DUMB_INIT_SETSID</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common-depends-on</span> <span class="na">airflow-init</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> <span class="na">airflow-worker-team2</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common</span> <span class="na">command</span><span class="pi">:</span> <span class="s">celery worker -q team2</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="c1"># yamllint disable rule:line-length</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">CMD-SHELL"</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">celery</span><span class="nv"> </span><span class="s">--app</span><span class="nv"> </span><span class="s">airflow.providers.celery.executors.celery_executor.app</span><span class="nv"> </span><span class="s">inspect</span><span class="nv"> </span><span class="s">ping</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">"celery@$${HOSTNAME}"</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">celery</span><span class="nv"> </span><span class="s">--app</span><span class="nv"> </span><span class="s">airflow.executors.celery_executor.app</span><span class="nv"> </span><span class="s">inspect</span><span class="nv"> </span><span class="s">ping</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">"celery@$${HOSTNAME}"'</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common-env</span> <span class="c1"># Required to handle warm shutdown of the celery workers properly</span> <span class="c1"># See https://airflow.apache.org/docs/docker-stack/entrypoint.html#signal-propagation</span> <span class="na">DUMB_INIT_SETSID</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*airflow-common-depends-on</span> <span class="na">airflow-init</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> </code></pre> </div> <p>As you can see, each worker runs with the argument <code>-q &lt;team_name&gt;</code> so each worker will execute only tasks from its configured queue.</p> <p>ℹ️ The dedicated team worker is where you could enforce security of connection, ressources (network policies) or variables and made them specific to a team.</p> <h3> Step 4: Add a Cluster Policy to Redirect Tasks </h3> <p>To route each DAG's task to a specific worker, we need to build a <a href="https://airflow.apache.org/docs/apache-airflow/stable/administration-and-deployment/cluster-policies.html#airflow.policies.task_policy" rel="noopener noreferrer">cluster task policy</a>.</p> <p>In the directory <code>config</code> of the <code>AIRFLOW_HOME</code> variable, add a file <code>airflow_local_settings</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">airflow.models</span> <span class="kn">import</span> <span class="n">DAG</span><span class="p">,</span> <span class="n">BaseOperator</span> <span class="kn">from</span> <span class="n">airflow.policies</span> <span class="kn">import</span> <span class="n">hookimpl</span> <span class="kn">from</span> <span class="n">airflow.exceptions</span> <span class="kn">import</span> <span class="n">AirflowClusterPolicyViolation</span> <span class="kn">import</span> <span class="n">re</span> <span class="n">pattern</span> <span class="o">=</span> <span class="sa">r</span><span class="sh">"</span><span class="s">^([^/]+)/.+\.py$</span><span class="sh">"</span> <span class="nd">@hookimpl</span> <span class="k">def</span> <span class="nf">task_policy</span><span class="p">(</span><span class="n">task</span><span class="p">:</span> <span class="n">BaseOperator</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Task policy activated : task.dag.filepath : </span><span class="si">{</span><span class="n">task</span><span class="p">.</span><span class="n">dag</span><span class="p">.</span><span class="n">filepath</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="n">pattern</span><span class="p">,</span> <span class="n">task</span><span class="p">.</span><span class="n">dag</span><span class="p">.</span><span class="n">filepath</span><span class="p">)</span> <span class="k">if</span> <span class="n">match</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="n">queue</span> <span class="o">=</span> <span class="n">match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">AirflowClusterPolicyViolation</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">DAG </span><span class="si">{</span><span class="n">task</span><span class="p">.</span><span class="n">dag</span><span class="p">.</span><span class="n">dag_id</span><span class="si">}</span><span class="s"> is not in the correct path location. File path: </span><span class="si">{</span><span class="n">task</span><span class="p">.</span><span class="n">dag</span><span class="p">.</span><span class="n">filepath</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p>From the task dag filepath (or fileloc since filepath is deprecated), the name of the team will be extracted and for each task the correspond queue will be targeted with <code>task.queue = match.group(1)</code>.</p> <p>⚠️ It's important to understand that security relies on the team dag directory access rights. So you must control who can add (write) a dag in this directory. It could be a human user or one assigned to a tool like a ci/cd job. </p> <h3> Step 5: Add DAG Samples to Test </h3> <p>So we need to add two dags one in the directory <code>dags/team1</code> and the other in the directory <code>dags/team2</code>.<br> For testing purpose, we choose this <a href="https://airflow.apache.org/docs/apache-airflow/stable/_modules/airflow/example_dags/tutorial.html" rel="noopener noreferrer">sample</a>.</p> <p>What you need to do is only, to modify the dag name, add access_control, eventualy its description and why not adding a tag with the team name.</p> <p>Example for the team1 DAG:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nc">DAG</span><span class="p">(</span> <span class="sh">"</span><span class="s">tutorial_team1</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># These args will get passed on to each operator </span> <span class="c1"># You can override them on a per-task basis during operator initialization </span> <span class="n">default_args</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">depends_on_past</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">airflow@example.com</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">email_on_failure</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">email_on_retry</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">retries</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">retry_delay</span><span class="sh">"</span><span class="p">:</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">),</span> <span class="c1"># 'queue': 'bash_queue', </span> <span class="c1"># 'pool': 'backfill', </span> <span class="c1"># 'priority_weight': 10, </span> <span class="c1"># 'end_date': datetime(2016, 1, 1), </span> <span class="c1"># 'wait_for_downstream': False, </span> <span class="c1"># 'sla': timedelta(hours=2), </span> <span class="c1"># 'execution_timeout': timedelta(seconds=300), </span> <span class="c1"># 'on_failure_callback': some_function, # or list of functions </span> <span class="c1"># 'on_success_callback': some_other_function, # or list of functions </span> <span class="c1"># 'on_retry_callback': another_function, # or list of functions </span> <span class="c1"># 'sla_miss_callback': yet_another_function, # or list of functions </span> <span class="c1"># 'on_skipped_callback': another_function, #or list of functions </span> <span class="c1"># 'trigger_rule': 'all_success' </span> <span class="p">},</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">A simple tutorial DAG team1</span><span class="sh">"</span><span class="p">,</span> <span class="n">schedule</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">1</span><span class="p">),</span> <span class="n">start_date</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="mi">2021</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="n">catchup</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">access_control</span><span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Team1</span><span class="sh">"</span> <span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">can_read</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">can_edit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">can_delete</span><span class="sh">"</span><span class="p">}</span> <span class="p">}</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">team1</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">as</span> <span class="n">dag</span><span class="p">:</span> <span class="p">[...]</span> </code></pre> </div> <p>🔒 See the <code>access_control</code> which associated with permissions and roles control whose users can interact with those dags.</p> <h3> Step 6: Provide Team Users and Give Them Rigths </h3> <p>First, we need to create two roles : one for each team. Of course, you could create more than one role for each team, for example to separate viewers and operators.<br> We need also to add permissions that will associate dag to roles.</p> <p>With the airflow cli provided with the docker-compose write: </p> <ol> <li>A role creation command: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose run airflow-worker-team1 airflow roles create Team1 </code></pre> </div> <ol> <li>Add standard permissions to the role:</li> <li>First, launch a shell: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose run airflow-worker-team1 bash </code></pre> </div> <ul> <li>Then launch all of these: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Associative array to hold resources and their corresponding actions</span> <span class="nb">declare</span> <span class="nt">-A</span> <span class="nv">permissions</span><span class="o">=(</span> <span class="o">[</span><span class="s2">"My Password"</span><span class="o">]=</span><span class="s2">"can_edit can_read"</span> <span class="o">[</span><span class="s2">"My Profile"</span><span class="o">]=</span><span class="s2">"can_edit can_read"</span> <span class="o">[</span><span class="s2">"DAG Runs"</span><span class="o">]=</span><span class="s2">"can create can_read can_edit menu_access"</span> <span class="o">[</span><span class="s2">"Browse"</span><span class="o">]=</span><span class="s2">"menu_access"</span> <span class="o">[</span><span class="s2">"Jobs"</span><span class="o">]=</span><span class="s2">"can_read menu_access"</span> <span class="o">[</span><span class="s2">"Task Instances"</span><span class="o">]=</span><span class="s2">"can_read"</span> <span class="o">[</span><span class="s2">"DAG Dependencies"</span><span class="o">]=</span><span class="s2">"can_read menu_access"</span> <span class="o">[</span><span class="s2">"DAG Code"</span><span class="o">]=</span><span class="s2">"can_read"</span> <span class="o">[</span><span class="s2">"Import Error"</span><span class="o">]=</span><span class="s2">"can_read"</span> <span class="o">[</span><span class="s2">"Task logs"</span><span class="o">]=</span><span class="s2">"can_read"</span> <span class="o">[</span><span class="s2">"Website"</span><span class="o">]=</span><span class="s2">"can_read"</span> <span class="o">)</span> <span class="c"># Iterate over the associative array and add permissions using the Airflow CLI</span> <span class="k">for </span>resource <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="p">!permissions[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">actions</span><span class="o">=</span><span class="k">${</span><span class="nv">permissions</span><span class="p">[</span><span class="nv">$resource</span><span class="p">]</span><span class="k">}</span> <span class="k">for </span>action <span class="k">in</span> <span class="nv">$actions</span><span class="p">;</span> <span class="k">do</span> <span class="c"># Construct and execute the Docker Compose command</span> <span class="nb">command</span><span class="o">=</span><span class="s2">"airflow roles add-perms Team1 -a </span><span class="se">\"</span><span class="nv">$action</span><span class="se">\"</span><span class="s2"> -r </span><span class="se">\"</span><span class="nv">$resource</span><span class="se">\"</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nv">$command</span> <span class="nb">eval</span> <span class="nv">$command</span> <span class="k">done done</span> </code></pre> </div> <p>😪 It can take a while...<br> Then, you need to create users. For example, <code>user1</code> belongs to <em>team1</em> and <code>user2</code> to <em>team2</em>.</p> <ol> <li>A user who will have this role </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose run airflow-worker-team1 airflow <span class="nb">users </span>create <span class="se">\</span> <span class="nt">-e</span> user1@team1.com <span class="se">\</span> <span class="nt">-f</span> user1 <span class="se">\</span> <span class="nt">-l</span> user1 <span class="se">\</span> <span class="nt">-p</span> <span class="k">*******</span> <span class="se">\</span> <span class="nt">-u</span> user1 <span class="se">\</span> <span class="nt">--role</span> Team1 </code></pre> </div> <p>🛎️ Don't forget to edit the password <code>*******</code></p> <p>And that's it! 🎉</p> <p>Try to log in with <code>user1</code>; you should view and be able only one DAG!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqikiarr9a57tridr40sr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqikiarr9a57tridr40sr.png" alt="Image description" width="800" height="502"></a></p> <p>Run the dag, and you should see the worker1 executing it :</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ia7sdh5a1rmybvexing.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ia7sdh5a1rmybvexing.png" alt="Image description" width="800" height="49"></a></p> data multitenant airflow Fix a resource locations organisation constraint while deploying Google App Engine with Docker based Application Guillaume Renaudin Mon, 08 Aug 2022 15:32:00 +0000 https://dev.to/zenika/fix-a-resource-locations-organisation-constraint-while-deploying-google-app-engine-with-docker-based-application-935 https://dev.to/zenika/fix-a-resource-locations-organisation-constraint-while-deploying-google-app-engine-with-docker-based-application-935 <h2> The case </h2> <p>You want to deploy a Google App Engine Docker based Application (<code>gcloud app deploy</code>) but your organization enabled the resource locations constraint and you've quickly encountered the following message : </p> <blockquote> <p>'us' violates constraint ‘constraints/gcp.resourceLocations’</p> </blockquote> <p>or maybe it was <em>'eu'</em> instead of 'us'</p> <p>For example, my organization wants to target only <em>low CO2</em> 🌱 identified regions.</p> <h2> Reason </h2> <p>💡 This is because neither <em>'us'</em> nor <em>'eu'</em> multi-region groups are present in your <code>constraints/gcp.resourceLocations</code> organization policy.<br> To check the complete list, go to the Google Cloud console, in <em>IAM an admin</em> menu and in <em>Organisation Policies</em>, look for the <code>constraints/gcp.resourceLocations</code> policy and find what are the allowed ones ✅.</p> <p>Because for a multi-region groups, not all the individual region are <em>low CO2</em> ones, my organization cannot allowed the groups.</p> <h2> Solution </h2> <p>The solution is to specify in which region our container registry should be. But the service Google Container Registry doesn't provide this option. <br> Luckely 🍀, Google provides and recommands another service <a href="https://cloud.google.com/artifact-registry/" rel="noopener noreferrer">Artifact registry</a>. In the meantime, you should also drop the Google Cloud Build step in the App Engine deployment process by giving the <code>--image-url</code> argument as described (here)[<a href="https://cloud.google.com/artifact-registry/docs/integrate-app-engine" rel="noopener noreferrer">https://cloud.google.com/artifact-registry/docs/integrate-app-engine</a>]</p> <p>Your new process to deploy is : </p> <ol> <li>Create an Artifact registry repository : <a href="https://cloud.google.com/artifact-registry/docs/repositories/create-repos#create" rel="noopener noreferrer">https://cloud.google.com/artifact-registry/docs/repositories/create-repos#create</a> </li> <li>Build and tag the Docker image with the following tag name <code>[LOCATION]-docker.pkg.dev/[PROJECT-ID]/[REPOSITORY]/[IMAGE]:[TAG]</code> </li> <li>Deploy your application with <code>gcloud app deploy --image-url=[LOCATION]-docker.pkg.dev/[PROJECT-ID]/[REPOSITORY]/[IMAGE]:[TAG]</code> </li> </ol> <p>You can always configure the App Engine runtime environment with an <code>app.yaml</code> file but the Dockerfile will be ignored in the deployment process</p> <p>I hope this could help some of you 😆</p> gcp appengine docker resourcelocation