[airflow] branch master updated: Update docs about the change to default auth for experimental API (#9617)

Wed, 01 Jul 2020 15:00:18 -0700 

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/master by this push:
     new 7ef7f58  Update docs about the change to default auth for experimental 
API (#9617)
7ef7f58 is described below

commit 7ef7f5880dfefc6e33cb7bf331927aa08e1bb438
Author: Kaxil Naik <[email protected]>
AuthorDate: Wed Jul 1 22:59:13 2020 +0100

    Update docs about the change to default auth for experimental API (#9617)
---
 docs/security.rst | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/docs/security.rst b/docs/security.rst
index c8f6e1a..1e820d3 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -63,15 +63,27 @@ OAuth, OpenID, LDAP, REMOTE_USER. You can configure in 
``webserver_config.py``.
 API Authentication
 ------------------
 
-Authentication for the API is handled separately to the Web Authentication. 
The default is to not
-require any authentication on the API i.e. wide open by default. This is not 
recommended if your
-Airflow webserver is publicly accessible, and you should probably use the 
``deny all`` backend:
+Authentication for the API is handled separately to the Web Authentication. 
The default is to
+deny all requests:
 
 .. code-block:: ini
 
     [api]
     auth_backend = airflow.api.auth.backend.deny_all
 
+.. versionchanged:: 1.10.11
+
+    In Airflow <1.10.11, the default setting was to allow all API requests 
without authentication, but this
+    posed security risks for if the Webserver is publicly accessible.
+
+If you wish to have the experimental API work, and aware of the risks of 
enabling this without authentication
+(or if you have your own authentication layer in front of Airflow) you can set 
the following in ``airflow.cfg``:
+
+.. code-block:: ini
+
+    [api]
+    auth_backend = airflow.api.auth.backend.default
+
 Kerberos authentication is currently supported for the API.
 
 To enable Kerberos authentication, set the following in the configuration:

Reply via email to