airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (AIRFLOW-1765) Default API auth backed should deny all.
Date Wed, 01 Nov 2017 14:40:00 GMT


ASF subversion and git services commented on AIRFLOW-1765:

Commit 6ecdac701c336da69cccfee2016e9a4f6e90558c in incubator-airflow's branch refs/heads/v1-9-test
from [~ashb]
[;h=6ecdac7 ]

[AIRFLOW-1765] Make experimental API securable without needing Kerberos.

Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of

Closes #2737 from ashb/exp-api-securable

(cherry picked from commit 0e27e1b209e77f22e79e00c2f2e3ab542195405c)
Signed-off-by: Bolke de Bruin <>

> Default API auth backed should deny all.
> ----------------------------------------
>                 Key: AIRFLOW-1765
>                 URL:
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: api, authentication
>    Affects Versions: 1.8.2
>            Reporter: Ash Berlin-Taylor
>            Priority: Major
>              Labels: security
>             Fix For: 1.9.0
> It has been discovered that the experimental API in the default configuration is not
protected behind any authentication.
> This means that out of the box the Airflow webserver's /api/experimental/ can be requested
by anyone, meaning pools can be updated/deleted and task instance variables can be read.

This message was sent by Atlassian JIRA

View raw message