Workflow Orchestration

REMOTE_USER

Zero-Day Shield

SSO + Zero-Day Protection for Apache Airflow

by Apache Software Foundation

Secure Apache Airflow with SAML/OIDC SSO — Protect Data Pipelines from Zero-Day Exploits

Overview

Why Apache Airflow Needs an Authenticated Proxy

Apache Airflow is the leading workflow orchestration platform for data engineering, powering ETL pipelines, ML workflows, and business process automation. Airflow DAGs execute with access to databases, APIs, cloud services, and internal systems via stored connections and variables. A compromised Airflow instance gives attackers the ability to execute arbitrary code via DAGs, access stored credentials for databases and cloud services, and manipulate data pipeline results. OnePAM adds enterprise SSO to Airflow using its REMOTE_USER authentication backend. Users authenticate through your corporate IdP, and OnePAM injects the verified identity. Only authenticated users can access the Airflow UI, trigger DAGs, or view connection credentials.

HTTP Header Authentication

REMOTE_USER

Airflow supports REMOTE_USER authentication via its remote_user_backend. When configured, Airflow trusts the REMOTE_USER header from a trusted reverse proxy and creates the session automatically.

Zero-Day Risk Profile

Apache Airflow Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Airflow has had critical RCE vulnerabilities via DAG file injection and API endpoints

DAG execution enables arbitrary code execution on Airflow workers

Connections store database passwords, API keys, and cloud credentials

Variables and XComs can contain sensitive business data and secrets

The Challenge

Security Challenges with Apache Airflow

These are the risks organizations face when Apache Airflow is not behind an authenticated proxy.

Arbitrary Code Execution

Airflow DAGs execute Python code on workers. Malicious DAG creation or modification enables arbitrary command execution on your infrastructure.

Credential Storage

Airflow Connections store database passwords, API keys, AWS credentials, and other secrets needed by DAGs.

Data Pipeline Manipulation

Unauthorized DAG triggering or modification can alter data pipeline results, affecting downstream analytics and business decisions.

RCE Vulnerability History

Airflow has had critical RCE CVEs. Without a proxy layer, these provide direct access to DAG execution infrastructure.

Complex RBAC Configuration

Airflow's built-in RBAC with Flask-AppBuilder is complex to configure and maintain, especially with external IdP integration.

Variable and XCom Exposure

Airflow Variables and XCom data may contain business logic, configuration, and intermediate pipeline data.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Apache Airflow

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Apache Airflow.

Deploy OnePAM as Airflow's Gateway

Place OnePAM in front of the Airflow webserver, intercepting all HTTP traffic.

Airflow's webserver is configured to accept connections only from OnePAM. The Airflow login page is bypassed entirely.

Configure IdP Federation

Connect OnePAM to your SAML 2.0 or OIDC identity provider.

OnePAM handles authentication, MFA enforcement, and group membership retrieval from your IdP.

Enable REMOTE_USER Backend

Configure Airflow's remote_user authentication backend to trust OnePAM's REMOTE_USER header.

Set AUTH_TYPE = AUTH_REMOTE_USER in Airflow's webserver_config.py. Airflow reads the authenticated username from the REMOTE_USER header.

Map DAG and Connection Access

IdP groups map to Airflow roles controlling DAG access, connection visibility, and admin operations.

Data engineers get DAG management access, analysts get read-only, and platform admins manage connections — all from your IdP.

Audit Pipeline Operations

Every Airflow operation is logged with corporate identity context for compliance.

OnePAM logs who triggered which DAG, who viewed connections, and who modified variables, with optional session recording.

Business Impact

Benefits of Securing Apache Airflow with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Apache Airflow.

Protect Data Pipelines

Only authenticated users can trigger DAGs, view connections, or modify pipeline configuration.

Zero unauthorized DAG execution

Shield Stored Credentials

Database passwords and API keys in Airflow Connections are protected behind identity-verified access.

Credential theft prevented

Block Airflow RCE CVEs

Remote code execution vulnerabilities are unexploitable when OnePAM blocks unauthenticated traffic.

CVEs blocked at proxy layer

Simplify Airflow Auth

Replace complex Flask-AppBuilder RBAC configuration with simple REMOTE_USER proxy authentication.

90% simpler auth config

MFA for Pipeline Execution

Require MFA before triggering production data pipelines or accessing sensitive connections.

MFA-gated pipeline execution

Complete Pipeline Audit

Every DAG trigger, connection access, and variable change is logged with corporate identity.

Full pipeline audit trail

SSO Features

Apache Airflow SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Apache Airflow.

SAML 2.0 & OIDC SSO via Airflow REMOTE_USER backend

DAG-level access policies from IdP groups

Connection credential visibility controls

DAG trigger authorization policies

Session recording for pipeline operations

IP and geo-restriction for Airflow access

Device trust verification

API access policies for Airflow REST API

Variable and Pool management controls

Multi-Airflow instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Apache Airflow from exploitation.

Airflow webserver isolated from direct access

End-to-end TLS encryption

Request-level identity verification

Protection against Airflow RCE vulnerabilities

Connection credential access auditing

Automatic session termination on IdP sign-out

Real-World Scenarios

Apache Airflow SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Apache Airflow.

Data engineering teams managing DAGs via corporate SSO with MFA

Data analysts viewing pipeline status with read-only access

Platform teams managing Airflow connections with step-up authentication

Compliance officers auditing data pipeline operations with session recording

Restricting production DAG triggering to authorized data engineers

Protecting Airflow from network-based RCE exploitation

Frequently Asked Questions

Apache Airflow SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Apache Airflow.

Does OnePAM work with Airflow's Flask-AppBuilder RBAC?

Yes. OnePAM handles authentication via REMOTE_USER, and Airflow's built-in RBAC handles authorization. IdP groups can be mapped to Airflow roles for centralized permission management.

Can the Airflow REST API still be used for automation?

Yes. OnePAM supports path-based policies. Automated API calls can use API tokens while interactive web sessions require full SSO authentication.

Does OnePAM affect Airflow scheduler or worker communication?

No. OnePAM only protects the Airflow webserver (UI and API). Scheduler-to-worker and scheduler-to-database communication is internal and unaffected.

Which Airflow versions are supported?

OnePAM works with Airflow 2.x and later that support the REMOTE_USER authentication backend. Both standalone and Kubernetes-deployed Airflow are supported.

Can we restrict who can view Airflow Connections?

Yes. OnePAM passes IdP group memberships that map to Airflow roles. The Admin role can be restricted to specific IdP groups, controlling who can view and manage Connections.

Ready to Secure Apache Airflow with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Apache Airflow code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps