Community Auth System for self-hosted Dagster OSS - RBAC, Audit Logging, and Session Management
Project description
🛡️ Dagster AuthKit
Community authentication wrapper for self-hosted Dagster OSS.
Authentication, RBAC, and Audit logs for Dagster without touching internal code.
🎯 What is this?
Dagster OSS has no auth. If you run it in a VPC or locally, anyone with the URL has full admin access.
AuthKit solves this by wrapping the dagster-webserver command to add:
- ✅ Login Interface: Simple username/password flow.
- ✅ RBAC (4 Levels): Granular control over who can do what.
- ✅ Audit Logs: JSON logs for monitoring who is doing what.
- ✅ Multi-Backend: Works with SQLite, Postgres, MySQL (via Peewee ORM) and Redis.
No code changes required. You don't touch your repository.py or dagster.yaml.
📂 Ready-to-Run Examples
Don't waste time configuring from scratch. We provide full Docker Compose stacks for different scenarios in the examples/ directory.
examples
├── ldap # Active Directory integration (**Experimental**)
│ ├── Makefile
│ ├── docker-compose.yml
│ └── ldap-bootstrap.ldif
├── postgresql_redis # Recommended production setup
│ ├── Makefile
│ └── docker-compose.yml
└── quickstart-sqlite # Simple local testing
├── Makefile
└── docker-compose.yml
How to run
Pick a scenario, go into the folder, and check the Makefile.
1. Standard Setup (Postgres + Redis) The most robust configuration available right now.
cd examples/postgresql_redis
make up
# or
docker compose up --build
2. Local Quickstart (SQLite) Zero dependencies, just Python. Good for kicking the tires.
cd examples/quickstart-sqlite
make up
3. LDAP/AD Testing ⚠️ EXPERIMENTAL Spins up a local OpenLDAP server to simulate Active Directory.
cd examples/ldap
make up
🚀 Manual Installation (Python)
If you aren't using Docker, you can install via pip.
# For local testing (SQLite)
pip install dagster-authkit[sqlite]
# For server usage (Postgres + Redis recommended)
pip install dagster-authkit[postgresql,redis]
# For LDAP/Active Directory integration (**Experimental**)
pip install dagster-authkit[ldap]
Usage:
# Initialize the database and create the first admin
dagster-authkit init-db --with-admin
# Run Dagster (replaces the standard 'dagster-webserver' command)
dagster-authkit -f your_pipeline.py -h 0.0.0.0 -p 3000
🔐 Roles (RBAC)
We provide 4 levels of access. Permissions are enforced via GraphQL query analysis.
| Role | Description |
|---|---|
| Admin | Full access. Can manage users, settings, and all pipelines. |
| Editor | Can modify assets and codebase (if allowed by deployment) and manage runs. |
| Launcher | Can launch runs and re-execute jobs, but cannot modify code/assets. |
| Viewer | Read-only. Can view runs and assets. GraphQL mutations are blocked. |
How it works: AuthKit analyzes GraphQL queries via regex to block unauthorized mutations based on user role.
📦 Backends
Choose where to store users and sessions.
| Backend | Implementation | Status | Use Case |
|---|---|---|---|
| SQLite | Peewee ORM | Functional | Local / Simple. Single instance only. |
| PostgreSQL | Peewee + psycopg2 |
Functional | Server. Recommended for Docker/K8s. |
| Redis | Native redis |
Functional | Session Storage. Avoids logout on restart. |
| LDAP | ldap3 library |
Experimental ⚠️ | Active Directory / OpenLDAP. Needs community testing. |
🛠️ CLI Management
Manage users directly from the shell. Useful for CI/CD or admin tasks.
# Create a new launcher
dagster-authkit add-user bob --role launcher
# Reset password
dagster-authkit change-password bob
# List everyone
dagster-authkit list-users
🔮 Roadmap & Community
This project belongs to the community.
Current Priorities:
- LDAP Validation: The feature is implemented (
dagster_authkit/auth/backends/ldap.py), but we need the community to test it in real AD environments. - Keycloak Integration: Support for external Identity Providers (IdP) via OIDC/Keycloak.
- Stability: Improving GraphQL query analysis for better mutation detection.
What we will NOT do:
- Inject React code into Dagster UI (too brittle/hard to maintain).
- Complex enterprise features that belong in Dagster+.
🤝 Contributing
Found a bug? Want to add a feature? Open a PR. If it works and keeps things simple, we'll merge it.
Especially needed: People with Active Directory experience to validate the LDAP backend.
📄 License
Apache 2.0 - see LICENSE
🙏 Credits
Built by Demetrius Albuquerque because self-hosting Dagster shouldn't mean no auth.
Inspired by the community's need for a middle ground between "no auth" and "pay for Dagster+".
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dagster_authkit-0.2.0.tar.gz.
File metadata
- Download URL: dagster_authkit-0.2.0.tar.gz
- Upload date:
- Size: 50.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.26 {"installer":{"name":"uv","version":"0.9.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3180fe43dfa72bb237f6c1121119acc6d36241b817ce70c26ff49269f82f7781
|
|
| MD5 |
9b8225010e899962dc2b30a7f7d6b8a0
|
|
| BLAKE2b-256 |
27da744065d45c840d16c1e67fb00c5aa24086ccd98fa1ee2603d93706ed3988
|
File details
Details for the file dagster_authkit-0.2.0-py3-none-any.whl.
File metadata
- Download URL: dagster_authkit-0.2.0-py3-none-any.whl
- Upload date:
- Size: 56.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.26 {"installer":{"name":"uv","version":"0.9.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d8fc5bea47e6caabdcae59b14e6d5eae88ae8998bd0c33fcab90d9aee5cb4ee2
|
|
| MD5 |
c1eaac200355e908adb6d1496e9fac09
|
|
| BLAKE2b-256 |
d7aecb2936247573de43eec4e47958f9a65fdfd34576ddbd1dfa0a150dca5a55
|
