airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject incubator-airflow git commit: [AIRFLOW-1765] Make experimental API securable without needing Kerberos.
Date Wed, 01 Nov 2017 14:38:41 GMT
Repository: incubator-airflow
Updated Branches:
  refs/heads/master 0bf7adb20 -> 0e27e1b20


[AIRFLOW-1765] Make experimental API securable without needing Kerberos.

Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of
deny-all.

Closes #2737 from ashb/exp-api-securable


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/0e27e1b2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/0e27e1b2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/0e27e1b2

Branch: refs/heads/master
Commit: 0e27e1b209e77f22e79e00c2f2e3ab542195405c
Parents: 0bf7adb
Author: Ash Berlin-Taylor <ash_github@firemirror.com>
Authored: Wed Nov 1 15:38:36 2017 +0100
Committer: Bolke de Bruin <bolke@xs4all.nl>
Committed: Wed Nov 1 15:38:36 2017 +0100

----------------------------------------------------------------------
 airflow/api/auth/backend/deny_all.py | 30 ++++++++++++++++++++++++++++++
 docs/api.rst                         | 20 +++++++++++++++-----
 docs/security.rst                    |  2 ++
 3 files changed, 47 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/0e27e1b2/airflow/api/auth/backend/deny_all.py
----------------------------------------------------------------------
diff --git a/airflow/api/auth/backend/deny_all.py b/airflow/api/auth/backend/deny_all.py
new file mode 100644
index 0000000..1b15e87
--- /dev/null
+++ b/airflow/api/auth/backend/deny_all.py
@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from functools import wraps
+from flask import Response
+
+client_auth = None
+
+
+def init_app(app):
+    pass
+
+
+def requires_authentication(function):
+    @wraps(function)
+    def decorated(*args, **kwargs):
+        return Response("Forbidden", 403)
+
+    return decorated

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/0e27e1b2/docs/api.rst
----------------------------------------------------------------------
diff --git a/docs/api.rst b/docs/api.rst
index eef671c..856ec9e 100644
--- a/docs/api.rst
+++ b/docs/api.rst
@@ -28,16 +28,26 @@ configure as follows:
 Authentication
 --------------
 
-Only Kerberos authentication is currently supported for the API. To enable this set the following
-in the configuration:
+Authentication for the API is handled separately to the Web Authentication. The default is
to not
+require any authentication on the API -- i.e. wide open by default. This is not recommended
if your
+Airflow webserver is publicly accessible, and you should probably use the deny all backend:
 
-.. code-block:: bash
+.. code-block:: ini
+
+    [api]
+    auth_backend = airflow.api.auth.backend.deny_all
+
+
+Kerberos is the only "real" authentication mechanism currently supported for the API. To
enable
+this set the following in the configuration:
+
+.. code-block:: ini
 
     [api]
-    auth_backend = airflow.api.auth.backend.default
+    auth_backend = airflow.api.auth.backend.kerberos_auth
 
     [kerberos]
     keytab = <KEYTAB>
 
-The Kerberos service is configured as `airflow/fully.qualified.domainname@REALM`. Make sure
this
+The Kerberos service is configured as ``airflow/fully.qualified.domainname@REALM``. Make
sure this
 principal exists in the keytab file.

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/0e27e1b2/docs/security.rst
----------------------------------------------------------------------
diff --git a/docs/security.rst b/docs/security.rst
index 6c0893d..f33ff04 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -8,6 +8,8 @@ SSH tunnels.
 It is however possible to switch on authentication by either using one of the supplied
 backends or creating your own.
 
+Be sure to checkout :doc:`api` for securing the API.
+
 Web Authentication
 ------------------
 


Mime
View raw message