Metadata-Version: 2.4
Name: dagster-authkit
Version: 0.2.0
Summary: Community Auth System for self-hosted Dagster OSS - RBAC, Audit Logging, and Session Management
Author-email: Demetrius Albuquerque <demetrius.albuquerque@yahoo.com.br>
License: Apache-2.0
Project-URL: Homepage, https://github.com/maltzsama/dagster-authkit
Project-URL: Repository, https://github.com/maltzsama/dagster-authkit
Project-URL: Issues, https://github.com/maltzsama/dagster-authkit/issues
Keywords: dagster,data-orchestration,data-pipeline,authentication,authorization,rbac,security,audit-logging,self-hosted,data-platform,data-engineering,devops,dagster-auth,access-control,session-management,data-governance
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Database
Classifier: Topic :: Internet :: WWW/HTTP :: Session
Classifier: Topic :: Scientific/Engineering :: Information Analysis
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: dagster<2.0.0,>=1.10.0
Requires-Dist: dagster-webserver<2.0.0,>=1.10.0
Requires-Dist: starlette>=0.52.1
Requires-Dist: itsdangerous>=2.2.0
Requires-Dist: python-multipart>=0.0.22
Requires-Dist: peewee>=3.19.0
Requires-Dist: click>=8.0.0
Provides-Extra: sqlite
Requires-Dist: bcrypt>=5.0.0; extra == "sqlite"
Provides-Extra: postgresql
Requires-Dist: psycopg2-binary>=2.9.9; extra == "postgresql"
Requires-Dist: bcrypt>=5.0.0; extra == "postgresql"
Provides-Extra: mysql
Requires-Dist: mysql-connector-python>=8.0.33; extra == "mysql"
Requires-Dist: bcrypt>=5.0.0; extra == "mysql"
Provides-Extra: mariadb
Requires-Dist: mariadb>=1.1.8; extra == "mariadb"
Requires-Dist: bcrypt>=5.0.0; extra == "mariadb"
Provides-Extra: redis
Requires-Dist: redis>=7.1.0; extra == "redis"
Provides-Extra: ldap
Requires-Dist: ldap3>=2.9.0; extra == "ldap"
Provides-Extra: oauth
Requires-Dist: authlib>=1.2.0; extra == "oauth"
Requires-Dist: httpx>=0.24.0; extra == "oauth"
Provides-Extra: dev
Requires-Dist: pytest>=9.0.2; extra == "dev"
Requires-Dist: pytest-asyncio>=1.3.0; extra == "dev"
Requires-Dist: black>=26.1.0; extra == "dev"
Requires-Dist: ruff>=0.14.14; extra == "dev"
Provides-Extra: all
Requires-Dist: dagster-authkit[ldap,mariadb,mysql,oauth,postgresql,redis,sqlite]; extra == "all"
Dynamic: license-file

# 🛡️ Dagster AuthKit

<div align="center">

**Community authentication wrapper for self-hosted Dagster OSS.**

*Authentication, RBAC, and Audit logs for Dagster without touching internal code.*

</div>

---

## 🎯 What is this?

Dagster OSS has no auth. If you run it in a VPC or locally, anyone with the URL has full admin access.

**AuthKit solves this by wrapping the `dagster-webserver` command to add:**

* ✅ **Login Interface:** Simple username/password flow.
* ✅ **RBAC (4 Levels):** Granular control over who can do what.
* ✅ **Audit Logs:** JSON logs for monitoring who is doing what.
* ✅ **Multi-Backend:** Works with SQLite, Postgres, MySQL (via Peewee ORM) and Redis.

**No code changes required.** You don't touch your `repository.py` or `dagster.yaml`.

---

## 📂 Ready-to-Run Examples

Don't waste time configuring from scratch. We provide full Docker Compose stacks for different scenarios in the `examples/` directory.

```bash
examples
├── ldap                # Active Directory integration (**Experimental**)
│   ├── Makefile
│   ├── docker-compose.yml
│   └── ldap-bootstrap.ldif
├── postgresql_redis    # Recommended production setup
│   ├── Makefile
│   └── docker-compose.yml
└── quickstart-sqlite   # Simple local testing
    ├── Makefile
    └── docker-compose.yml

```

### How to run

Pick a scenario, go into the folder, and check the `Makefile`.

**1. Standard Setup (Postgres + Redis)**
The most robust configuration available right now.

```bash
cd examples/postgresql_redis
make up
# or
docker compose up --build

```

**2. Local Quickstart (SQLite)**
Zero dependencies, just Python. Good for kicking the tires.

```bash
cd examples/quickstart-sqlite
make up

```

**3. LDAP/AD Testing** ⚠️ **EXPERIMENTAL**
Spins up a local OpenLDAP server to simulate Active Directory.

```bash
cd examples/ldap
make up

```

---

## 🚀 Manual Installation (Python)

If you aren't using Docker, you can install via pip.

```bash
# For local testing (SQLite)
pip install dagster-authkit[sqlite]

# For server usage (Postgres + Redis recommended)
pip install dagster-authkit[postgresql,redis]

# For LDAP/Active Directory integration (**Experimental**)
pip install dagster-authkit[ldap]

```

**Usage:**

```bash
# Initialize the database and create the first admin
dagster-authkit init-db --with-admin

# Run Dagster (replaces the standard 'dagster-webserver' command)
dagster-authkit -f your_pipeline.py -h 0.0.0.0 -p 3000

```

---

## 🔐 Roles (RBAC)

We provide **4 levels** of access. Permissions are enforced via GraphQL query analysis.

| Role | Description |
| --- | --- |
| **Admin** | Full access. Can manage users, settings, and all pipelines. |
| **Editor** | Can modify assets and codebase (if allowed by deployment) and manage runs. |
| **Launcher** | Can **launch runs** and re-execute jobs, but **cannot** modify code/assets. |
| **Viewer** | Read-only. Can view runs and assets. GraphQL mutations are blocked. |

**How it works:** AuthKit analyzes GraphQL queries via regex to block unauthorized mutations based on user role.

---

## 📦 Backends

Choose where to store users and sessions.

| Backend | Implementation | Status | Use Case |
| --- | --- | --- | --- |
| **SQLite** | Peewee ORM | **Functional** | Local / Simple. Single instance only. |
| **PostgreSQL** | Peewee + `psycopg2` | **Functional** | Server. Recommended for Docker/K8s. |
| **Redis** | Native `redis` | **Functional** | Session Storage. Avoids logout on restart. |
| **LDAP** | `ldap3` library | **Experimental** ⚠️ | Active Directory / OpenLDAP. Needs community testing. |

---

## 🛠️ CLI Management

Manage users directly from the shell. Useful for CI/CD or admin tasks.

```bash
# Create a new launcher
dagster-authkit add-user bob --role launcher

# Reset password
dagster-authkit change-password bob

# List everyone
dagster-authkit list-users

```

---

## 🔮 Roadmap & Community

This project belongs to the community.

**Current Priorities:**

1. **LDAP Validation:** The feature is implemented (`dagster_authkit/auth/backends/ldap.py`), but **we need the community to test it in real AD environments**.
2. **Keycloak Integration:** Support for external Identity Providers (IdP) via OIDC/Keycloak.
3. **Stability:** Improving GraphQL query analysis for better mutation detection.

**What we will NOT do:**

* Inject React code into Dagster UI (too brittle/hard to maintain).
* Complex enterprise features that belong in Dagster+.

---

## 🤝 Contributing

Found a bug? Want to add a feature?
Open a PR. If it works and keeps things simple, we'll merge it.

**Especially needed:** People with Active Directory experience to validate the LDAP backend.

---

## 📄 License

Apache 2.0 - see [LICENSE](LICENSE)

---

## 🙏 Credits

Built by [Demetrius Albuquerque](https://github.com/demetrius-mp) because self-hosting Dagster shouldn't mean no auth.

Inspired by the community's need for a middle ground between "no auth" and "pay for Dagster+".
