airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niels Zeilemaker <ni...@zeilemaker.nl>
Subject Re: Experimental API
Date Mon, 30 Oct 2017 16:01:52 GMT
Hi Ash,

I made a pull request moving the latest runs call to the web api.

https://github.com/apache/incubator-airflow/pull/2734

Niels

Op 30 okt. 2017 4:58 p.m. schreef "Ash Berlin-Taylor" <
ash_airflowlist@firemirror.com>:

> It's available by default.
>
> https://github.com/apache/incubator-airflow/blob/
> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144 <
> https://github.com/apache/incubator-airflow/blob/
> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144>
>
> And used in the web front end https://github.com/apache/
> incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c6
> 22af187fac/airflow/www/templates/airflow/dags.html#L299 <
> https://github.com/apache/incubator-airflow/blob/
> 6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/
> templates/airflow/dags.html#L299>
>
> Does this need to be loaded via JSON? Couldn't that be info be sent on
> initial page load without needing an extra page load?
>
> > On 30 Oct 2017, at 15:44, Andy Hadjigeorgiou <andyxhadji@gmail.com>
> wrote:
> >
> > Is this experimental API available by default, or does it need a
> > configuration?
> >
> > On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor <
> > ash_airflowlist@firemirror.com> wrote:
> >
> >> Oh gods.
> >>
> >> Something has gone wrong - the methods are decorated with
> >> `@requires_authentication` but they... don't. Oh, because the default
> >> backend doesn't do any authentication or protection at all.
> >>
> >> I thik this is CVEworthy - using the User+Password auth for the web
> front
> >> end/using default config should not leave the API unprotected. I think
> the
> >> default API auth backend should deny all rather than allow all?
> >>
> >> -ash
> >>
> >>> On 30 Oct 2017, at 08:51, Niels Zeilemaker <
> >> nielszeilemaker@godatadriven.com> wrote:
> >>>
> >>> Hi All,
> >>>
> >>> I've implemented HTTP Basic Authentication for the experiment API, see
> >> https://github.com/apache/incubator-airflow/pull/2730. This seems to
> work
> >> fine.
> >>> However, while implementing this. I noticed, to my surprise, that the
> >> experimental API was open even though we enabled Password authentication
> >> for the web-interface.
> >>> This seems like a bug to me, as one would expect that the experimental
> >> API would use the same auth backend as the web-interface.
> >>>
> >>> Why did Airflow choose to split the authentication for the
> >> web-interface  and experimental API?
> >>> And if it's not possible to combine those, is it possible to lock down
> >> the experimental API if one chooses a non-default web-interface auth
> >> backend?
> >>>
> >>> Niels
> >>> Ps with an unsecured experimental api it is possible to trigger dags,
> >> list pools, delete pools, etc.
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message