Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C6529200B75 for ; Sun, 4 Sep 2016 15:13:48 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C4CE6160AB0; Sun, 4 Sep 2016 13:13:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 16D4B160AA9 for ; Sun, 4 Sep 2016 15:13:47 +0200 (CEST) Received: (qmail 54633 invoked by uid 500); 4 Sep 2016 13:13:47 -0000 Mailing-List: contact commits-help@airflow.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@airflow.incubator.apache.org Delivered-To: mailing list commits@airflow.incubator.apache.org Received: (qmail 54624 invoked by uid 99); 4 Sep 2016 13:13:47 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Sep 2016 13:13:47 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 78A32C00F9 for ; Sun, 4 Sep 2016 13:13:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -3.739 X-Spam-Level: X-Spam-Status: No, score=-3.739 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.519] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 9HjEU2sy0fZ7 for ; Sun, 4 Sep 2016 13:13:44 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 82FFF5F1F3 for ; Sun, 4 Sep 2016 13:13:43 +0000 (UTC) Received: (qmail 53997 invoked by uid 99); 4 Sep 2016 13:13:42 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Sep 2016 13:13:42 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4D87EDFD9F; Sun, 4 Sep 2016 13:13:42 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: bolke@apache.org To: commits@airflow.incubator.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: incubator-airflow git commit: [AIRFLOW-477][AIRFLOW-478] Restructure security section for clarity Date: Sun, 4 Sep 2016 13:13:42 +0000 (UTC) archived-at: Sun, 04 Sep 2016 13:13:49 -0000 Repository: incubator-airflow Updated Branches: refs/heads/master c6cc01f4e -> 86fe23f11 [AIRFLOW-477][AIRFLOW-478] Restructure security section for clarity Closes #1775 from alexvanboxel/docs/security Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/86fe23f1 Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/86fe23f1 Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/86fe23f1 Branch: refs/heads/master Commit: 86fe23f111c8552de2701069783a6b5b522976b4 Parents: c6cc01f Author: Alex Van Boxel Authored: Sun Sep 4 15:13:14 2016 +0200 Committer: Bolke de Bruin Committed: Sun Sep 4 15:13:18 2016 +0200 ---------------------------------------------------------------------- docs/security.rst | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/86fe23f1/docs/security.rst ---------------------------------------------------------------------- diff --git a/docs/security.rst b/docs/security.rst index b8f13ca..801dc84 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -1,9 +1,6 @@ Security ======== -Web Authentication ------------------- - By default, all gates are opened. An easy way to restrict access to the web application is to do it at the network level, or by using SSH tunnels. @@ -11,6 +8,9 @@ SSH tunnels. It is however possible to switch on authentication by either using one of the supplied backends or create your own. +Web Authentication +------------------ + Password '''''''' @@ -110,6 +110,7 @@ created by itself. Kerberos -------- + Airflow has initial support for Kerberos. This means that airflow can renew kerberos tickets for itself and store it in the ticket cache. The hooks and dags can make use of ticket to authenticate against kerberized services. @@ -214,6 +215,9 @@ and in your DAG, when initializing the HiveOperator, specify run_as_owner=True +OAuth Authentication +-------------------- + GitHub Enterprise (GHE) Authentication '''''''''''''''''''''''''''''''''''''' @@ -239,7 +243,7 @@ your GHE installation will be able to login to Airflow. allowed_teams = example_team_1, example_team_2 Setting up GHE Authentication -''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ An application must be setup in GHE before you can use the GHE authentication backend. In order to setup an application: @@ -253,7 +257,7 @@ backend. In order to setup an application: 7. Copy 'Client ID', 'Client Secret', and your callback route to your airflow.cfg according to the above example Google Authentication -'''''''''''''''''''''''''''''''''''''' +''''''''''''''''''''' The Google authentication backend can be used to authenticate users against Google using OAuth2. You must specify a domain to restrict login @@ -272,7 +276,7 @@ to only members of that domain. domain = example.com Setting up Google Authentication -''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ An application must be setup in the Google API Console before you can use the Google authentication backend. In order to setup an application: