Community authentication wrapper for self-hosted Dagster OSS.
Authentication, RBAC, and Audit logs for Dagster without touching internal code.
Dagster OSS has no auth. If you run it in a VPC or locally, anyone with the URL has full admin access.
AuthKit solves this by wrapping the dagster-webserver command to add:
- โ Login Interface: Simple username/password flow.
- โ RBAC (4 Levels): Granular control over who can do what.
- โ Audit Logs: JSON logs for monitoring who is doing what.
- โ Multi-Backend: Works with SQLite, Postgres, MySQL (via Peewee ORM) and Redis.
No code changes required. You don't touch your repository.py or dagster.yaml.
Delegate authentication to enterprise identity providers via reverse proxy:
- Authelia integration with complete examples
- Caddy reverse proxy with built-in
forward_authdirective - Traefik forward auth support
- Header-based user extraction (
Remote-User,Remote-Groups) - Smart group parser that handles JSON, LDAP DNs, CSV, and mixed formats
Full example stack for Minikube including:
- OpenLDAP with pre-seeded users and RBAC groups
- Authelia configured with LDAP backend
- Caddy as reverse proxy with TLS termination
- Dagster-AuthKit in proxy mode
- Step-by-step Makefile with
minikube tunnelsupport
- GraphQL parsing: Replaced fragile regex with official AST parser (
graphql-core) - Redis hardening: Atomic operations, proper session revocation, URL validation
- Code organization: All UI templates centralized in
utils/templates.py - Observability: RBAC decision tracking via metrics endpoint
We provide ready-to-use stacks for different scenarios in the examples/ directory:
examples
โโโ authelia # NEW! Authelia + Caddy + LDAP SSO (Docker)
โ โโโ Makefile
โ โโโ docker-compose.yml
โ โโโ Caddyfile
โ โโโ authelia/
โโโ kubernetes # NEW! Minikube deployment
โ โโโ Makefile
โ โโโ k8s/
โโโ ldap # Active Directory integration (**Experimental**)
โ โโโ Makefile
โ โโโ docker-compose.yml
โ โโโ ldap-bootstrap.ldif
โโโ postgresql_redis # Recommended production setup
โ โโโ Makefile
โ โโโ docker-compose.yml
โโโ quickstart-sqlite # Simple local testing
โโโ Makefile
โโโ docker-compose.ymlPick a scenario, go into the folder, and check the Makefile.
1. Authelia SSO (Docker) Complete SSO with Authelia, Caddy, and OpenLDAP:
cd examples/authelia
make up
# Access: https://auth.company.com (admin/password123)
# Then: https://dagster.company.com2. Kubernetes (Minikube) Same stack running on Kubernetes:
cd examples/kubernetes
make build # Build the Docker image inside Minikube
make up # Deploy everything
# In another terminal: make connect (runs minikube tunnel)
# Add to /etc/hosts: $(minikube ip) auth.company.com dagster.company.com3. Standard Setup (Postgres + Redis)
cd examples/postgresql_redis
make up4. Local Quickstart (SQLite)
cd examples/quickstart-sqlite
make up5. LDAP/AD Testing
cd examples/ldap
make upIf you aren't using Docker, you can install via pip.
# For local testing (SQLite)
pip install dagster-authkit[sqlite]
# For server usage (Postgres + Redis recommended)
pip install dagster-authkit[postgresql,redis]
# For LDAP/Active Directory integration (**Experimental**)
pip install dagster-authkit[ldap]
Usage:
# Initialize the database and create the first admin
dagster-authkit init-db --with-admin
# Run Dagster (replaces the standard 'dagster-webserver' command)
dagster-authkit -f your_pipeline.py -h 0.0.0.0 -p 3000
# For proxy mode (Authelia/OAuth2 Proxy)
export DAGSTER_AUTH_BACKEND=proxy
export DAGSTER_AUTH_PROXY_LOGIN_URL=https://auth.yourcompany.com
dagster-authkit -f your_pipeline.py -h 0.0.0.0 -p 3000We provide 4 levels of access. Permissions are enforced via GraphQL query analysis.
| Role | Description |
|---|---|
| Admin | Full access. Can manage users, settings, and all pipelines. |
| Editor | Can modify assets and codebase (if allowed) and manage runs. |
| Launcher | Can launch runs and re-execute jobs, but cannot modify code/assets. |
| Viewer | Read-only. Can view runs and assets. GraphQL mutations are blocked. |
How it works: AuthKit analyzes GraphQL queries using the official GraphQL parser to accurately identify mutations and block unauthorized actions.
| Backend | Implementation | Status | Use Case |
|---|---|---|---|
| SQLite | Peewee ORM | Stable | Local / Simple. Single instance only. |
| PostgreSQL | Peewee + psycopg2 |
Stable | Production. Recommended for Docker/K8s. |
| MySQL/MariaDB | Peewee + mysql-connector |
Stable | Production. |
| Redis | Native redis |
Stable | Session Storage + Distributed Rate Limiting. |
| LDAP | ldap3 library |
Experimental | Active Directory / OpenLDAP. Community maintained. |
| Proxy | Header-based | Stable | Authelia, OAuth2 Proxy, Traefik, Caddy. |
| OpenID Connect | Header-based | Experimental | AuthKit supports OIDC providers (Google, GitHub, Okta, Keycloak) via Authelia |
Manage users directly from the shell. Useful for CI/CD or admin tasks.
# Create a new launcher
dagster-authkit add-user bob --role launcher
# Reset password
dagster-authkit change-password bob
# List everyone
dagster-authkit list-users
# View RBAC permissions matrix
dagster-authkit list-permissions- โ Username/password auth (bcrypt)
- โ 4-level RBAC (ADMIN/EDITOR/LAUNCHER/VIEWER)
- โ SQLite, PostgreSQL, MySQL, Redis support
- โ GraphQL mutation blocking with official AST parser
- โ LDAP backend (experimental)
- โ Proxy authentication (Authelia, Caddy, Traefik)
- โ Kubernetes example with full SSO stack
- โ Redis session revocation and rate limiting
- โ Centralized UI templates
- ๐ Improved GraphQL query analysis
- ๐ Helm chart for Kubernetes deployments
- ๐ OpenID Connect support (via proxy mode)
What we will NOT do:
- โ Inject React code into Dagster UI (too brittle)
- โ Complex enterprise features (that's what Dagster+ is for)
Found a bug? Want to add a feature? Open a PR. If it works and keeps things simple, we'll merge it.
Especially needed:
- People with Active Directory experience to validate the LDAP backend
- Testing on different Dagster versions
- Helm chart contributions
Apache 2.0 - see LICENSE
Built by Demetrius Albuquerque because self-hosting Dagster shouldn't mean no auth.
Inspired by the community's need for a middle ground between "no auth" and "pay for Dagster+".
