airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-1765) Default API auth backed should deny all.
Date Wed, 01 Nov 2017 14:40:00 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234152#comment-16234152
] 

ASF subversion and git services commented on AIRFLOW-1765:
----------------------------------------------------------

Commit 6ecdac701c336da69cccfee2016e9a4f6e90558c in incubator-airflow's branch refs/heads/v1-9-test
from [~ashb]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=6ecdac7 ]

[AIRFLOW-1765] Make experimental API securable without needing Kerberos.

Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of
deny-all.

Closes #2737 from ashb/exp-api-securable

(cherry picked from commit 0e27e1b209e77f22e79e00c2f2e3ab542195405c)
Signed-off-by: Bolke de Bruin <bolke@xs4all.nl>


> Default API auth backed should deny all.
> ----------------------------------------
>
>                 Key: AIRFLOW-1765
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1765
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: api, authentication
>    Affects Versions: 1.8.2
>            Reporter: Ash Berlin-Taylor
>            Priority: Major
>              Labels: security
>             Fix For: 1.9.0
>
>
> It has been discovered that the experimental API in the default configuration is not
protected behind any authentication.
> This means that out of the box the Airflow webserver's /api/experimental/ can be requested
by anyone, meaning pools can be updated/deleted and task instance variables can be read.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message