Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1
Apache Airflow includes a web user interface called Airflow UI , which you can use to manage Airflow DAGs, view DAG run logs, monitor Airflow, and perform administrative actions.
About the Airflow web server
Each Cloud Composer environment has a web server that runs the Airflow UI. The web server is a part of Cloud Composer environment architecture .
Before you begin
-
You must have a role that can view Cloud Composer environments. For more information, see Access control .
-
During the environment creation, Cloud Composer configures the URL for the web server that runs the Airflow UI. The URL is non-customizable.
-
Cloud Composer 3 supports the Airflow UI Access Control (Airflow Role-Based Access Control) feature for the Airflow UI.
-
If the API Controls > Unconfigured third-party apps > Don't allow users to access any third-party appsoption is enabled in Google Workspace and the Apache Airflow in Cloud Composer app is not explicitly allowed, then users are not able to access the Airflow UI unless they explicitly allow the application. To allow access, perform steps provided in Allow access to Airflow UI in Google Workspace .
-
If Chrome Enterprise Premium Context-Aware Access bindings are used with access levels that rely on device attributes, and the Apache Airflow in Cloud Composer app is not exempted, then it's not possible to access the Airflow UI because of a login loop. To allow access, perform steps provided in Allow access to Airflow UI in Context-Aware Access bindings .
-
If ingress rules are configured in a VPC Service Controls perimeter that protects the project, and the ingress rule that allows access to the Cloud Composer service uses
ANY_SERVICE_ACCOUNTorANY_USER_ACCOUNTidentity type, then users can't access the Airflow UI, ending up in a login loop. For more information about addressing this scenario, see Allow access to Airflow UI in VPC Service Controls ingress rules . -
Cloud Composer doesn't support using third-party identities in ingress and egress rules to allow Apache Airflow UI operations. However, you can use the
ANY_IDENTITYidentity type in ingress and egress rules to allow access to all identities, including third-party identities. For more information about theANY_IDENTITYidentity type, see Ingress and egress rules .
Access the Airflow UI
In Cloud Composer 3, the Airflow web server runs in the tenant project of your environment
. The web server is
deployed to the composer.googleusercontent.com
domain and provides access to
the Airflow UI.
Cloud Composer 3 provides access to the interface based on user identities and IAM policy bindings defined for users.
Access the Airflow UI from the Google Cloud console
To access the Airflow UI from the Google Cloud console:
-
In the Google Cloud console, go to the Environmentspage.
-
In the Airflow webservercolumn, follow the Airflowlink for your environment.
-
Sign in with a Google Account that has the appropriate permissions.
Obtain the Airflow UI URL with Google Cloud CLI
You can access the Airflow UI from any web browser. To get the URL for the Airflow UI, run the following command in Google Cloud CLI:
gcloud
composer
environments
describe
ENVIRONMENT_NAME
\
--location
LOCATION
Replace the following:
-
ENVIRONMENT_NAME: the name of your environment. -
LOCATION: the region where the environment is located.
The Google Cloud CLI command shows the properties of a
Cloud Composer environment, including the URLs for the Airflow UI.
The URLs are listed as airflowUri
and airflowByoidUri
:
- The
airflowUriURL address is used by Google Accounts. - The
airflowByoidUriURL address is used by external identities if you configure Workforce identity federation in your project.
config
:
airflowUri
:
https://example-dot-us-central1.composer.googleusercontent.com
airflowByoidUri
:
https://example-dot-us-central1.composer.byoid.googleusercontent.com
Restart the web server
When debugging or troubleshooting Cloud Composer environments, some issues
may be resolved by restarting the Airflow web server. You can restart the web
server using the restartWebServer API
or the restart-web-server
command in Google Cloud CLI:
gcloud
composer
environments
restart-web-server
ENVIRONMENT_NAME
\
--location =
LOCATION
Replace the following:
-
ENVIRONMENT_NAME: the name of your environment. -
LOCATION: the region where the environment is located.
Configure web server network access
The Airflow web server access parameters don't depend on your environment's networking configuration. Instead, you configure web server access separately. For example, a Private IP environment can still have the Airflow UI accessible from the internet.
It's not possible to configure the allowed IP ranges to be private IP addresses.
Console
-
In the Google Cloud console, go to the Environmentspage.
-
In the list of environments, click the name of your environment. The Environment detailspage opens.
-
Go to the Environment configurationtab.
-
In the Network configurationsection, find the Web server access controlitem and click Edit.
-
In the Web server network access controldialog:
-
To provide access to the Airflow web server from all IP addresses, select Allow access from all IP addresses.
-
To restrict access only to specific IP ranges, select Allow access only from specific IP addresses. In the IP rangefield, specify an IP range in the CIDR notation. In the Descriptionfield, specify an optional description for this range. If you want to specify more than one range, click Add IP range.
-
To forbid access for all IP addresses, select Allow access only from specific IP addressesand click Delete itemnext to the empty range entry.
-
gcloud
When you update an environment, the following arguments control web server access parameters:
-
--web-server-allow-allprovides access to Airflow from all IP addresses. This is the default option. -
--update-web-server-allow-iprestricts access only to specific source IP ranges. To specify several IP ranges, use this argument multiple times. -
--web-server-deny-allforbids access for all IP addresses.
gcloud
composer
environments
update
ENVIRONMENT_NAME
\
--location
LOCATION
\
--update-web-server-allow-ip
ip_range
=
WS_IP_RANGE
,description =
WS_RANGE_DESCRIPTION
Replace the following:
-
ENVIRONMENT_NAME: the name of your environment. -
LOCATION: the region where the environment is located. -
WS_IP_RANGE: the IP range, in the CIDR notation, that can access the Airflow UI. -
WS_RANGE_DESCRIPTION: the description of the IP range.
Example:
gcloud
composer
environments
update
example-environment
\
--location
us-central1
\
--update-web-server-allow-ip
ip_range
=
192
.0.2.0/24,description =
"example range"
\
--update-web-server-allow-ip
ip_range
=
192
.0.4.0/24,description =
"example range 2"
API
-
Construct an [
environments.patch][api-patch] API request. -
In this request:
-
In the
updateMaskparameter, specify theconfig.webServerNetworkAccessControlmask. -
In the request body, specify how Airflow task logs must be saved:
-
To provide access to Airflow from all IP addresses, specify an empty
configelement (thewebServerNetworkAccessControlelement must not be present). -
To restrict access only to specific IP ranges, specify one or more ranges in
allowedIpRanges. -
To forbid access for all IP addresses, specify an empty
webServerNetworkAccessControlelement. ThewebServerNetworkAccessControlelement must be present, but must not contain anallowedIpRangeselement.
-
-
{
"config"
:
{
"webServerNetworkAccessControl"
:
{
"allowedIpRanges"
:
[
{
"value"
:
" WS_IP_RANGE
"
,
"description"
:
" WS_RANGE_DESCRIPTION
"
}
]
}
}
}
Replace the following:
-
WS_IP_RANGE: the IP range, in the CIDR notation, that can access the Airflow UI. -
WS_RANGE_DESCRIPTION: the description of the IP range.
Example:
// PATCH https://composer.googleapis.com/v1/projects/example-project/
// locations/us-central1/environments/example-environment?updateMask=
// config.webServerNetworkAccessControl
{
"config"
:
{
"webServerNetworkAccessControl"
:
{
"allowedIpRanges"
:
[
{
"value"
:
"192.0.2.0/24"
,
"description"
:
"example range"
},
{
"value"
:
"192.0.4.0/24"
,
"description"
:
"example range 2"
}
]
}
}
}
Terraform
In the allowed_ip_range
block, in the web_server_network_access_control
specify IP ranges that can access web server.
resource
"google_composer_environment"
"example"
{
provider
=
google-beta
name
=
" ENVIRONMENT_NAME
"
region
=
" LOCATION
"
config
{
web_server_network_access_control
{
allowed_ip_range
{
value
=
" WS_IP_RANGE
"
description
=
" WS_RANGE_DESCRIPTION
"
}
}
}
}
Replace the following:
-
WS_IP_RANGE: the IP range, in the CIDR notation, that can access the Airflow UI. -
WS_RANGE_DESCRIPTION: the description of the IP range.
Example:
resource
"google_composer_environment"
"example"
{
provider
=
google-beta
name
=
"example-environment"
region
=
"us-central1"
config
{
web_server_network_access_control
{
allowed_ip_range
{
value
=
"192.0.2.0/24"
description
=
"example range"
},
allowed_ip_range
{
value
=
"192.0.4.0/24"
description
=
"example range 2"
}
}
}
