airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <ash_airflowl...@firemirror.com>
Subject Re: Experimental API
Date Mon, 30 Oct 2017 15:42:28 GMT
Oh gods.

Something has gone wrong - the methods are decorated with `@requires_authentication` but they...
don't. Oh, because the default backend doesn't do any authentication or protection at all.


I thik this is CVEworthy - using the User+Password auth for the web front end/using default
config should not leave the API unprotected. I think the default API auth backend should deny
all rather than allow all?

-ash

> On 30 Oct 2017, at 08:51, Niels Zeilemaker <nielszeilemaker@godatadriven.com> wrote:
> 
> Hi All,
> 
> I've implemented HTTP Basic Authentication for the experiment API, see https://github.com/apache/incubator-airflow/pull/2730.
This seems to work fine.
> However, while implementing this. I noticed, to my surprise, that the experimental API
was open even though we enabled Password authentication for the web-interface.
> This seems like a bug to me, as one would expect that the experimental API would use
the same auth backend as the web-interface.
> 
> Why did Airflow choose to split the authentication for the web-interface  and experimental
API?
> And if it's not possible to combine those, is it possible to lock down the experimental
API if one chooses a non-default web-interface auth backend?
> 
> Niels
> Ps with an unsecured experimental api it is possible to trigger dags, list pools, delete
pools, etc.


Mime
View raw message