airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <>
Subject Re: Experimental API
Date Mon, 30 Oct 2017 15:42:28 GMT
Oh gods.

Something has gone wrong - the methods are decorated with `@requires_authentication` but they...
don't. Oh, because the default backend doesn't do any authentication or protection at all.

I thik this is CVEworthy - using the User+Password auth for the web front end/using default
config should not leave the API unprotected. I think the default API auth backend should deny
all rather than allow all?


> On 30 Oct 2017, at 08:51, Niels Zeilemaker <> wrote:
> Hi All,
> I've implemented HTTP Basic Authentication for the experiment API, see
This seems to work fine.
> However, while implementing this. I noticed, to my surprise, that the experimental API
was open even though we enabled Password authentication for the web-interface.
> This seems like a bug to me, as one would expect that the experimental API would use
the same auth backend as the web-interface.
> Why did Airflow choose to split the authentication for the web-interface  and experimental
> And if it's not possible to combine those, is it possible to lock down the experimental
API if one chooses a non-default web-interface auth backend?
> Niels
> Ps with an unsecured experimental api it is possible to trigger dags, list pools, delete
pools, etc.

View raw message