Mailing-List: contact dev-help@airflow.incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@airflow.incubator.apache.org
From: Ash Berlin-Taylor <ash@firemirror.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: Experimental API
Date: Mon, 30 Oct 2017 16:07:27 +0000
References: <VI1PR0701MB23031E5DF55BD460D1E8DED7DD590@VI1PR0701MB2303.eurprd07.prod.outlook.com>
 <AD7A222B-F0AC-444E-966C-44E538D107EB@firemirror.com>
 <CAEqTbY=m_f9vnTnaWNaEz_TxCArgqAAnjXVnHYNiwA-roZfQqg@mail.gmail.com>
 <12642590-4186-4591-B5EF-93CFDDA214AD@firemirror.com>
 <CACBF-_n_PVHqo_zBjAtiBSyiRNY+evO+Xa0xE7Rknim6rW0Qxg@mail.gmail.com>
To: dev@airflow.incubator.apache.org
In-Reply-To: <CACBF-_n_PVHqo_zBjAtiBSyiRNY+evO+Xa0xE7Rknim6rW0Qxg@mail.gmail.com>
Message-Id: <7FDDE945-835F-41DB-AD9B-D2D94BCA1DA4@firemirror.com>
archived-at: Mon, 30 Oct 2017 16:25:45 -0000

Good work!

Oh, /dag_stats and /task_stats were un-authenticated before too. Not =
disasterous but not great.

-ash

> On 30 Oct 2017, at 16:01, Niels Zeilemaker <niels@zeilemaker.nl> =
wrote:
>=20
> Hi Ash,
>=20
> I made a pull request moving the latest runs call to the web api.
>=20
> https://github.com/apache/incubator-airflow/pull/2734
>=20
> Niels
>=20
> Op 30 okt. 2017 4:58 p.m. schreef "Ash Berlin-Taylor" <
> ash_airflowlist@firemirror.com>:
>=20
>> It's available by default.
>>=20
>> https://github.com/apache/incubator-airflow/blob/
>> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144 <
>> https://github.com/apache/incubator-airflow/blob/
>> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144>
>>=20
>> And used in the web front end https://github.com/apache/
>> incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c6
>> 22af187fac/airflow/www/templates/airflow/dags.html#L299 <
>> https://github.com/apache/incubator-airflow/blob/
>> 6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/
>> templates/airflow/dags.html#L299>
>>=20
>> Does this need to be loaded via JSON? Couldn't that be info be sent =
on
>> initial page load without needing an extra page load?
>>=20
>>> On 30 Oct 2017, at 15:44, Andy Hadjigeorgiou <andyxhadji@gmail.com>
>> wrote:
>>>=20
>>> Is this experimental API available by default, or does it need a
>>> configuration?
>>>=20
>>> On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor <
>>> ash_airflowlist@firemirror.com> wrote:
>>>=20
>>>> Oh gods.
>>>>=20
>>>> Something has gone wrong - the methods are decorated with
>>>> `@requires_authentication` but they... don't. Oh, because the =
default
>>>> backend doesn't do any authentication or protection at all.
>>>>=20
>>>> I thik this is CVEworthy - using the User+Password auth for the web
>> front
>>>> end/using default config should not leave the API unprotected. I =
think
>> the
>>>> default API auth backend should deny all rather than allow all?
>>>>=20
>>>> -ash
>>>>=20
>>>>> On 30 Oct 2017, at 08:51, Niels Zeilemaker <
>>>> nielszeilemaker@godatadriven.com> wrote:
>>>>>=20
>>>>> Hi All,
>>>>>=20
>>>>> I've implemented HTTP Basic Authentication for the experiment API, =
see
>>>> https://github.com/apache/incubator-airflow/pull/2730. This seems =
to
>> work
>>>> fine.
>>>>> However, while implementing this. I noticed, to my surprise, that =
the
>>>> experimental API was open even though we enabled Password =
authentication
>>>> for the web-interface.
>>>>> This seems like a bug to me, as one would expect that the =
experimental
>>>> API would use the same auth backend as the web-interface.
>>>>>=20
>>>>> Why did Airflow choose to split the authentication for the
>>>> web-interface  and experimental API?
>>>>> And if it's not possible to combine those, is it possible to lock =
down
>>>> the experimental API if one chooses a non-default web-interface =
auth
>>>> backend?
>>>>>=20
>>>>> Niels
>>>>> Ps with an unsecured experimental api it is possible to trigger =
dags,
>>>> list pools, delete pools, etc.
>>>>=20
>>>>=20
>>=20
>>=20