[airflow] 01/02: Change default auth for experimental backend to deny_all (#9611)

[kaxilnaik]

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit 89329c4ac4e98f479003b217981dc4dfde2bf661
Author: Ash Berlin-Taylor <ash_git...@firemirror.com>
AuthorDate: Wed Jul 1 17:04:35 2020 +0100

    Change default auth for experimental backend to deny_all (#9611)
    
    In a move that should surprise no one, a number of users do not read,
    and leave the API wide open by default. Safe is better than powned
    
    (cherry picked from commit 9e305d6b810a2a21e2591a80a80ec41acb3afed0)
---
 UPDATING.md                                  | 16 ++++++++++++++++
 airflow/config_templates/config.yml          |  6 ++++--
 airflow/config_templates/default_airflow.cfg |  6 ++++--
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index 3dfda58..ec193f9 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -73,6 +73,22 @@ Before 1.10.11 it was possible to edit DagRun State in the 
`/admin/dagrun/` page
 
 In Airflow 1.10.11+, the user can only choose the states from the list.
 
+### Experimental API will deny all request by default.
+
+The previous default setting was to allow all API requests without 
authentication, but this poses security
+risks to users who miss this fact. This changes the default for new installs 
to deny all requests by default.
+
+**Note**: This will not change the behavior for existing installs, please 
update check your airflow.cfg
+
+If you wish to have the experimental API work, and aware of the risks of 
enabling this without authentication
+(or if you have your own authentication layer in front of Airflow) you can get
+the previous behaviour on a new install by setting this in your airflow.cfg:
+
+```
+[api]
+auth_backend = airflow.api.auth.backend.default
+```
+
 ## Airflow 1.10.10
 
 ### Setting Empty string to a Airflow Variable will return an empty string
diff --git a/airflow/config_templates/config.yml 
b/airflow/config_templates/config.yml
index f632cd5..0d52426 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -524,11 +524,13 @@
   options:
     - name: auth_backend
       description: |
-        How to authenticate users of the API
+        How to authenticate users of the API. See
+        https://airflow.apache.org/docs/stable/security.html for possible 
values.
+        ("airflow.api.auth.backend.default" allows all requests for historic 
reasons)
       version_added: ~
       type: string
       example: ~
-      default: "airflow.api.auth.backend.default"
+      default: "airflow.api.auth.backend.deny_all"
 - name: lineage
   description: ~
   options:
diff --git a/airflow/config_templates/default_airflow.cfg 
b/airflow/config_templates/default_airflow.cfg
index a061d46..63bd3cb 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -274,8 +274,10 @@ endpoint_url = http://localhost:8080
 fail_fast = False
 
 [api]
-# How to authenticate users of the API
-auth_backend = airflow.api.auth.backend.default
+# How to authenticate users of the API. See
+# https://airflow.apache.org/docs/stable/security.html for possible values.
+# ("airflow.api.auth.backend.default" allows all requests for historic reasons)
+auth_backend = airflow.api.auth.backend.deny_all
 
 [lineage]
 # what lineage backend to use