jscheffl commented on code in PR #40897:
URL: https://github.com/apache/airflow/pull/40897#discussion_r1685320255
##########
airflow/api_internal/internal_api_call.py:
##########
@@ -68,21 +73,31 @@ def get_internal_api_endpoint():
InternalApiConfig._init_values()
return InternalApiConfig._internal_api_endpoint
+ @staticmethod
+ def get_auth() -> AuthBase | None:
+ return InternalApiConfig._internal_api_auth
+
@staticmethod
def _init_values():
use_internal_api = conf.getboolean("core",
"database_access_isolation", fallback=False)
if use_internal_api and not _ENABLE_AIP_44:
raise RuntimeError("The AIP_44 is not enabled so you cannot use
it.")
- internal_api_endpoint = ""
if use_internal_api:
- internal_api_url = conf.get("core", "internal_api_url")
- internal_api_endpoint = internal_api_url +
"/internal_api/v1/rpcapi"
- if not internal_api_endpoint.startswith("http://";):
- raise AirflowConfigException("[core]internal_api_url must
start with http://";)
+ internal_api_endpoint = conf.get("core", "internal_api_url")
+ if internal_api_endpoint.find("/", 8) == -1:
+ internal_api_endpoint = internal_api_endpoint +
"/internal_api/v1/rpcapi"
+ if not internal_api_endpoint.startswith("http://";) and not
internal_api_endpoint.startswith(
+ "https://";
+ ):
+ raise AirflowConfigException("[core]internal_api_url must
start with http:// or https://";)
+ InternalApiConfig._internal_api_endpoint = internal_api_endpoint
+ internal_api_user = conf.get("core", "internal_api_user")
+ internal_api_password = conf.get("core", "internal_api_password")
Review Comment:
Looking though the code I am wondering a bit regarding the log endpoint
where the code snipped is coming from. Log endpoint also uses the decorator
`@security.requires_access_dag("GET", DagAccessEntity.TASK_LOGS)` on top, means
the token is a kind of second factor but not the only means of authentication.
You need to authenticate to get logs. I don't see any handling with the
decorator ignoring an HTTP-based auth if a token is provided.
Do you mean with your feedback that if we implement auth in internal API
that we need to put the token "on top" to have a second factor? Or should a
generated token based on the secret key replace/substiture any decorator e.g.
which I just added in AIP-69 in
https://github.com/apache/airflow/pull/40224/files#diff-5fb7e8d1b04e10947ebd11fdba06820f44cac02f2f36ad97b5964cf0273b05cfR69
(`@requires_access_custom_view("POST", REMOTE_WORKER_API_ROLE)`) - would a
pure token authentication be sufficient?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
