This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new c047c87aed0 Expand and improve the kerberos api authentication
documentation (#43682)
c047c87aed0 is described below
commit c047c87aed0ba191ada035c47ed9f6de9756b4e3
Author: Balthazar Rouberol <[email protected]>
AuthorDate: Tue Nov 12 14:55:58 2024 +0100
Expand and improve the kerberos api authentication documentation (#43682)
The following improvemenrs were added to the API Kerberos authentication
documentation section:
- unify `@REALM` and `@KERBEROS-REALM`: the fact that they read
different was confusing and prompted the question whether they were
two different names for the same realm value or not
- provide a `curl` example
- mention that the stable API is authorized _and_ access-controled, so
the authenticated user should have the required permissions to request
the API
- fix a typo
Signed-off-by: Balthazar Rouberol <[email protected]>
---
.../auth-manager/api-authentication.rst | 26 ++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git
a/docs/apache-airflow-providers-fab/auth-manager/api-authentication.rst
b/docs/apache-airflow-providers-fab/auth-manager/api-authentication.rst
index 0e923304813..fc3d922fd75 100644
--- a/docs/apache-airflow-providers-fab/auth-manager/api-authentication.rst
+++ b/docs/apache-airflow-providers-fab/auth-manager/api-authentication.rst
@@ -48,7 +48,7 @@ command as in the example below.
Kerberos authentication
'''''''''''''''''''''''
-Kerberos authentication is currently supported for the API.
+Kerberos authentication is currently supported for the API, both experimental
and stable.
To enable Kerberos authentication, set the following in the configuration:
@@ -60,11 +60,29 @@ To enable Kerberos authentication, set the following in the
configuration:
[kerberos]
keytab = <KEYTAB>
-The Kerberos service is configured as
``airflow/fully.qualified.domainname@REALM``. Make sure this
-principal exists in the keytab file.
+The airflow Kerberos service is configured as
``airflow/fully.qualified.domainname@REALM``. Make sure this
+principal exists `in both the Kerberos database as well as in the keytab file
</docs/apache-airflow/stable/security/kerberos.html#enabling-kerberos>`_.
You have to make sure to name your users with the kerberos full username/realm
in order to make it
-works. This means that your user name should be ``user_name@KERBEROS-REALM``.
+work. This means that your user name should be ``user_name@REALM``.
+
+.. code-block:: bash
+
+ kinit user_name@REALM
+ ENDPOINT_URL="http://localhost:8080/";
+ curl -X GET \
+ --negotiate \ # enables Negotiate (SPNEGO) authentication
+ --service airflow \ # matches the `airflow` service name in the
`airflow/fully.qualified.domainname@REALM` principal
+ --user : \
+ "${ENDPOINT_URL}/api/v1/pools"
+
+
+.. note::
+
+ Remember that the stable API is secured by both authentication and `access
control <./access-control.html>`_.
+ This means that your user needs to have a Role with necessary associated
permissions, otherwise you'll receive
+ a 403 response.
+
Basic authentication
''''''''''''''''''''
