kaxil commented on a change in pull request #9611:
URL: https://github.com/apache/airflow/pull/9611#discussion_r448424798
##########
File path: UPDATING.md
##########
@@ -1425,6 +1425,22 @@ Now the `dag_id` will not appear repeated in the
payload, and the response forma
}
```
+### Experimental API will deny all request by default.
+
+The previous default setting was to allow all API requests without
authentication, but this poses security
+risks to users who miss this fact. This changes the default for new installs
to deny all requests by default.
+
+**Note**: This will not change the behavior for existing installs, please
update check your airflow.cfg
+
+If you wish to have the experimental API work, and aware of the risks of
enabling this without authentication
+(or if you have your own authentication layer in front of Airflow) you can get
the old back on a new install
+by setting this in your airflow.cfg:
Review comment:
```suggestion
(or if you have your own authentication layer in front of Airflow) you can
get the previous behaviour back on a new install
by setting this in your airflow.cfg:
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
