Community Auth System for self-hosted Dagster OSS - RBAC, Audit Logging, and Session Management
Project description
๐ก๏ธ Dagster AuthKit
Community authentication wrapper for self-hosted Dagster OSS.
Authentication, RBAC, and Audit logs for Dagster without touching internal code.
๐ฏ What is this?
Dagster OSS has no auth. If you run it in a VPC or locally, anyone with the URL has full admin access.
AuthKit solves this by wrapping the dagster-webserver command to add:
- โ Login Interface: Simple username/password flow.
- โ RBAC (4 Levels): Granular control over who can do what.
- โ Audit Logs: JSON logs for monitoring who is doing what.
- โ Multi-Backend: Works with SQLite, Postgres, MySQL (via Peewee ORM) and Redis.
No code changes required. You don't touch your repository.py or dagster.yaml.
โจ What's New in v0.3.0
๐ Proxy Authentication Mode
Delegate authentication to enterprise identity providers via reverse proxy:
- Authelia integration with complete examples
- Caddy reverse proxy with built-in
forward_authdirective - Traefik forward auth support
- Header-based user extraction (
Remote-User,Remote-Groups) - Smart group parser that handles JSON, LDAP DNs, CSV, and mixed formats
๐ Kubernetes Deployment
Full example stack for Minikube including:
- OpenLDAP with pre-seeded users and RBAC groups
- Authelia configured with LDAP backend
- Caddy as reverse proxy with TLS termination
- Dagster-AuthKit in proxy mode
- Step-by-step Makefile with
minikube tunnelsupport
๐๏ธ Core Improvements
- GraphQL parsing: Replaced fragile regex with official AST parser (
graphql-core) - Redis hardening: Atomic operations, proper session revocation, URL validation
- Code organization: All UI templates centralized in
utils/templates.py - Observability: RBAC decision tracking via metrics endpoint
๐ Ready-to-Run Examples
We provide ready-to-use stacks for different scenarios in the examples/ directory:
examples
โโโ authelia # NEW! Authelia + Caddy + LDAP SSO (Docker)
โ โโโ Makefile
โ โโโ docker-compose.yml
โ โโโ Caddyfile
โ โโโ authelia/
โโโ kubernetes # NEW! Minikube deployment
โ โโโ Makefile
โ โโโ k8s/
โโโ ldap # Active Directory integration (**Experimental**)
โ โโโ Makefile
โ โโโ docker-compose.yml
โ โโโ ldap-bootstrap.ldif
โโโ postgresql_redis # Recommended production setup
โ โโโ Makefile
โ โโโ docker-compose.yml
โโโ quickstart-sqlite # Simple local testing
โโโ Makefile
โโโ docker-compose.yml
How to run
Pick a scenario, go into the folder, and check the Makefile.
1. Authelia SSO (Docker) Complete SSO with Authelia, Caddy, and OpenLDAP:
cd examples/authelia
make up
# Access: https://auth.company.com (admin/password123)
# Then: https://dagster.company.com
2. Kubernetes (Minikube) Same stack running on Kubernetes:
cd examples/kubernetes
make build # Build the Docker image inside Minikube
make up # Deploy everything
# In another terminal: make connect (runs minikube tunnel)
# Add to /etc/hosts: $(minikube ip) auth.company.com dagster.company.com
3. Standard Setup (Postgres + Redis)
cd examples/postgresql_redis
make up
4. Local Quickstart (SQLite)
cd examples/quickstart-sqlite
make up
5. LDAP/AD Testing โ ๏ธ EXPERIMENTAL
cd examples/ldap
make up
๐ Manual Installation (Python)
If you aren't using Docker, you can install via pip.
# For local testing (SQLite)
pip install dagster-authkit[sqlite]
# For server usage (Postgres + Redis recommended)
pip install dagster-authkit[postgresql,redis]
# For LDAP/Active Directory integration (**Experimental**)
pip install dagster-authkit[ldap]
Usage:
# Initialize the database and create the first admin
dagster-authkit init-db --with-admin
# Run Dagster (replaces the standard 'dagster-webserver' command)
dagster-authkit -f your_pipeline.py -h 0.0.0.0 -p 3000
# For proxy mode (Authelia/OAuth2 Proxy)
export DAGSTER_AUTH_BACKEND=proxy
export DAGSTER_AUTH_PROXY_LOGIN_URL=https://auth.yourcompany.com
dagster-authkit -f your_pipeline.py -h 0.0.0.0 -p 3000
๐ Roles (RBAC)
We provide 4 levels of access. Permissions are enforced via GraphQL query analysis.
| Role | Description |
|---|---|
| Admin | Full access. Can manage users, settings, and all pipelines. |
| Editor | Can modify assets and codebase (if allowed) and manage runs. |
| Launcher | Can launch runs and re-execute jobs, but cannot modify code/assets. |
| Viewer | Read-only. Can view runs and assets. GraphQL mutations are blocked. |
How it works: AuthKit analyzes GraphQL queries using the official GraphQL parser to accurately identify mutations and block unauthorized actions.
๐ฆ Backends
| Backend | Implementation | Status | Use Case |
|---|---|---|---|
| SQLite | Peewee ORM | Stable | Local / Simple. Single instance only. |
| PostgreSQL | Peewee + psycopg2 |
Stable | Production. Recommended for Docker/K8s. |
| MySQL/MariaDB | Peewee + mysql-connector |
Stable | Production. |
| Redis | Native redis |
Stable | Session Storage + Distributed Rate Limiting. |
| LDAP | ldap3 library |
Experimental | Active Directory / OpenLDAP. Community maintained. |
| Proxy | Header-based | Stable | Authelia, OAuth2 Proxy, Traefik, Caddy. |
| OpenID Connect | Header-based | Experimental | AuthKit supports OIDC providers (Google, GitHub, Okta, Keycloak) via Authelia |
๐ ๏ธ CLI Management
Manage users directly from the shell. Useful for CI/CD or admin tasks.
# Create a new launcher
dagster-authkit add-user bob --role launcher
# Reset password
dagster-authkit change-password bob
# List everyone
dagster-authkit list-users
# View RBAC permissions matrix
dagster-authkit list-permissions
๐ฎ Roadmap
Current (v0.3.0)
- โ Username/password auth (bcrypt)
- โ 4-level RBAC (ADMIN/EDITOR/LAUNCHER/VIEWER)
- โ SQLite, PostgreSQL, MySQL, Redis support
- โ GraphQL mutation blocking with official AST parser
- โ LDAP backend (experimental)
- โ Proxy authentication (Authelia, Caddy, Traefik)
- โ Kubernetes example with full SSO stack
- โ Redis session revocation and rate limiting
- โ Centralized UI templates
Next
- ๐ Improved GraphQL query analysis
- ๐ Helm chart for Kubernetes deployments
- ๐ OpenID Connect support (via proxy mode)
What we will NOT do:
- โ Inject React code into Dagster UI (too brittle)
- โ Complex enterprise features (that's what Dagster+ is for)
๐ค Contributing
Found a bug? Want to add a feature? Open a PR. If it works and keeps things simple, we'll merge it.
Especially needed:
- People with Active Directory experience to validate the LDAP backend
- Testing on different Dagster versions
- Helm chart contributions
๐ License
Apache 2.0 - see LICENSE
๐ Credits
Built by Demetrius Albuquerque because self-hosting Dagster shouldn't mean no auth.
Inspired by the community's need for a middle ground between "no auth" and "pay for Dagster+".
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dagster_authkit-0.3.0.tar.gz.
File metadata
- Download URL: dagster_authkit-0.3.0.tar.gz
- Upload date:
- Size: 56.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
830df35f31db7b151eb3f646a8cb07b50912119833c7a8de8d0fe77ab6aec388
|
|
| MD5 |
58262516ce6c7af8826446e1aef59419
|
|
| BLAKE2b-256 |
6538f1e10944ae6c227d6e9e5b32965e303f1cea473baebd4f976a098c8805fb
|
File details
Details for the file dagster_authkit-0.3.0-py3-none-any.whl.
File metadata
- Download URL: dagster_authkit-0.3.0-py3-none-any.whl
- Upload date:
- Size: 63.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
696eaaeb944708df7b22e412942fc465e93ee5191c8e4a8986819c7202e34c38
|
|
| MD5 |
21e7ee532940a3cf8d415be489a06de2
|
|
| BLAKE2b-256 |
4c3da0232488d6534dfeffb735fa7deaad0f7722da1ac59d23c733a6f7795c94
|
