airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <...@firemirror.com>
Subject Re: Experimental API
Date Mon, 30 Oct 2017 16:07:27 GMT
Good work!

Oh, /dag_stats and /task_stats were un-authenticated before too. Not disasterous but not great.

-ash

> On 30 Oct 2017, at 16:01, Niels Zeilemaker <niels@zeilemaker.nl> wrote:
> 
> Hi Ash,
> 
> I made a pull request moving the latest runs call to the web api.
> 
> https://github.com/apache/incubator-airflow/pull/2734
> 
> Niels
> 
> Op 30 okt. 2017 4:58 p.m. schreef "Ash Berlin-Taylor" <
> ash_airflowlist@firemirror.com>:
> 
>> It's available by default.
>> 
>> https://github.com/apache/incubator-airflow/blob/
>> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144 <
>> https://github.com/apache/incubator-airflow/blob/
>> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144>
>> 
>> And used in the web front end https://github.com/apache/
>> incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c6
>> 22af187fac/airflow/www/templates/airflow/dags.html#L299 <
>> https://github.com/apache/incubator-airflow/blob/
>> 6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/
>> templates/airflow/dags.html#L299>
>> 
>> Does this need to be loaded via JSON? Couldn't that be info be sent on
>> initial page load without needing an extra page load?
>> 
>>> On 30 Oct 2017, at 15:44, Andy Hadjigeorgiou <andyxhadji@gmail.com>
>> wrote:
>>> 
>>> Is this experimental API available by default, or does it need a
>>> configuration?
>>> 
>>> On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor <
>>> ash_airflowlist@firemirror.com> wrote:
>>> 
>>>> Oh gods.
>>>> 
>>>> Something has gone wrong - the methods are decorated with
>>>> `@requires_authentication` but they... don't. Oh, because the default
>>>> backend doesn't do any authentication or protection at all.
>>>> 
>>>> I thik this is CVEworthy - using the User+Password auth for the web
>> front
>>>> end/using default config should not leave the API unprotected. I think
>> the
>>>> default API auth backend should deny all rather than allow all?
>>>> 
>>>> -ash
>>>> 
>>>>> On 30 Oct 2017, at 08:51, Niels Zeilemaker <
>>>> nielszeilemaker@godatadriven.com> wrote:
>>>>> 
>>>>> Hi All,
>>>>> 
>>>>> I've implemented HTTP Basic Authentication for the experiment API, see
>>>> https://github.com/apache/incubator-airflow/pull/2730. This seems to
>> work
>>>> fine.
>>>>> However, while implementing this. I noticed, to my surprise, that the
>>>> experimental API was open even though we enabled Password authentication
>>>> for the web-interface.
>>>>> This seems like a bug to me, as one would expect that the experimental
>>>> API would use the same auth backend as the web-interface.
>>>>> 
>>>>> Why did Airflow choose to split the authentication for the
>>>> web-interface  and experimental API?
>>>>> And if it's not possible to combine those, is it possible to lock down
>>>> the experimental API if one chooses a non-default web-interface auth
>>>> backend?
>>>>> 
>>>>> Niels
>>>>> Ps with an unsecured experimental api it is possible to trigger dags,
>>>> list pools, delete pools, etc.
>>>> 
>>>> 
>> 
>> 


Mime
View raw message