potiuk commented on PR #40899: URL: https://github.com/apache/airflow/pull/40899#issuecomment-2241149045
I looked in detail, and (sorry for that I was just quickly looking it up - but the concept is similar). The actual code I think we should model it from is similar but adds a bit more protection is the one we use to retrieve logs (because It also adds expiry-date for the request) - and it uses JWTSigner Instead of itsdangerous. Here is the server side: https://github.com/apache/airflow/blob/c2a54efefb66fe2fa7b3b2e5e1cfd2cc0527f2f6/airflow/utils/serve_logs.py#L80 And here is the client side: https://github.com/apache/airflow/blob/main/airflow/utils/log/file_task_handler.py#L94 Conceptually it's very similar to signer - you can sign the whole payload of the request - and pass it as "Authorization:" header. This way: * the signature cannot be re-used in another request * it has expiry date * also it can have salt added (the audience is effectively salt) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
