This is an automated email from the ASF dual-hosted git repository.
kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit efe86e55f6af52f0eb0457625d7b92193b88a296
Author: Kaxil Naik <kaxiln...@gmail.com>
AuthorDate: Wed Jul 1 22:59:13 2020 +0100
Update docs about the change to default auth for experimental API (#9617)
(cherry picked from commit 7ef7f5880dfefc6e33cb7bf331927aa08e1bb438)
---
docs/security.rst | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/docs/security.rst b/docs/security.rst
index 863a454..3817c7f 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -159,15 +159,27 @@ only the dags which it is owner of, unless it is a
superuser.
API Authentication
------------------
-Authentication for the API is handled separately to the Web Authentication.
The default is to not
-require any authentication on the API i.e. wide open by default. This is not
recommended if your
-Airflow webserver is publicly accessible, and you should probably use the
``deny all`` backend:
+Authentication for the API is handled separately to the Web Authentication.
The default is to
+deny all requests:
.. code-block:: ini
[api]
auth_backend = airflow.api.auth.backend.deny_all
+.. versionchanged:: 1.10.11
+
+ In Airflow <1.10.11, the default setting was to allow all API requests
without authentication, but this
+ posed security risks for if the Webserver is publicly accessible.
+
+If you wish to have the experimental API work, and aware of the risks of
enabling this without authentication
+(or if you have your own authentication layer in front of Airflow) you can set
the following in ``airflow.cfg``:
+
+.. code-block:: ini
+
+ [api]
+ auth_backend = airflow.api.auth.backend.default
+
Two "real" methods for authentication are currently supported for the API.
To enabled Password authentication, set the following in the configuration:
