From dc24d87fe1c3bead75bef16a10daefe6ec0e9c03 Mon Sep 17 00:00:00 2001 From: Augustin Date: Thu, 13 Jan 2022 08:41:30 +0100 Subject: [PATCH] Documentation: high level suggestions on how to secure Airbyte (#9448) --- docs/operator-guides/securing-airbyte.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/operator-guides/securing-airbyte.md diff --git a/docs/operator-guides/securing-airbyte.md b/docs/operator-guides/securing-airbyte.md new file mode 100644 index 000000000000..d1d7c3b3c02c --- /dev/null +++ b/docs/operator-guides/securing-airbyte.md @@ -0,0 +1,19 @@ +# Securing Airbyte access + +Airbyte, in its open-source version, does not support RBAC to manage access to the UI. + +However, multiple options exist for the operators to implement access control themselves. + +To secure access to Airbyte you have three options: +* Networking restrictions: deploy Airbyte in a private network or use a firewall to filter which IP is allowed to access your host. +* Put Airbyte behind a reverse proxy and handle the access control on the reverse proxy side. +* If you deployed Airbyte on a cloud provider: + * GCP: use the [Identidy-Aware proxy](https://cloud.google.com/iap) service + * AWS: use the [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) service + +**Non exhaustive** online resources list to set up auth on your reverse proxy: +* [Configure HTTP Basic Auth on NGINX for Airbyte](https://shadabshaukat.medium.com/deploy-and-secure-airbyte-with-nginx-reverse-proxy-basic-authentication-lets-encrypt-ssl-72bee223a4d9) +* [Kubernetes: Basic auth on a Nginx ingress controller](https://kubernetes.github.io/ingress-nginx/examples/auth/basic/) +* [How to set up Okta SSO on an NGINX reverse proxy](https://developer.okta.com/blog/2018/08/28/nginx-auth-request) +* [How to enable HTTP Basic Auth on Caddy](https://caddyserver.com/docs/caddyfile/directives/basicauth) +* [SSO for Traefik](https://github.com/thomseddon/traefik-forward-auth)