Repository: incubator-airflow Updated Branches: refs/heads/master ebe715c56 -> 21e94c7d1
[AIRFLOW-1697] Mode to disable charts endpoint Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/21e94c7d Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/21e94c7d Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/21e94c7d Branch: refs/heads/master Commit: 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3 Parents: ebe715c Author: Dan Davydov <[email protected]> Authored: Mon Oct 9 14:46:38 2017 -0700 Committer: Dan Davydov <[email protected]> Committed: Tue Oct 10 11:33:50 2017 -0700 ---------------------------------------------------------------------- UPDATING.md | 2 ++ airflow/config_templates/default_airflow.cfg | 4 ++++ airflow/www/app.py | 7 +++++-- airflow/www/views.py | 9 ++++++++- scripts/ci/airflow_travis.cfg | 1 + 5 files changed, 20 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/21e94c7d/UPDATING.md ---------------------------------------------------------------------- diff --git a/UPDATING.md b/UPDATING.md index 6a0b8bc..ebcb5cd 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -270,6 +270,8 @@ supported and will be removed entirely in Airflow 2.0 Previously, `Operator.__init__()` accepted any arguments (either positional `*args` or keyword `**kwargs`) without complaint. Now, invalid arguments will be rejected. (https://github.com/apache/incubator-airflow/pull/1285) +- The config value secure_mode will default to True which will disable some insecure endpoints/features + ### Known Issues There is a report that the default of "-1" for num_runs creates an issue where errors are reported while parsing tasks. It was not confirmed, but a workaround was found by changing the default back to `None`. http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/21e94c7d/airflow/config_templates/default_airflow.cfg ---------------------------------------------------------------------- diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index b051583..dee6dc7 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -117,6 +117,10 @@ default_impersonation = # What security module to use (for example kerberos): security = +# If set to False enables some unsecure features like Charts. In 2.0 will +# default to True. +secure_mode = False + # Turn unit test mode on (overwrites many configuration options with test # values at runtime) unit_test_mode = False http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/21e94c7d/airflow/www/app.py ---------------------------------------------------------------------- diff --git a/airflow/www/app.py b/airflow/www/app.py index bbb9410..dfdc04c 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -22,6 +22,7 @@ from flask_wtf.csrf import CSRFProtect csrf = CSRFProtect() import airflow +from airflow import configuration as conf from airflow import models, LoggingMixin from airflow.settings import Session @@ -69,8 +70,10 @@ def create_app(config=None, testing=False): av(vs.Airflow(name='DAGs', category='DAGs')) av(vs.QueryView(name='Ad Hoc Query', category="Data Profiling")) - av(vs.ChartModelView( - models.Chart, Session, name="Charts", category="Data Profiling")) + + if not conf.getboolean('core', 'secure_mode'): + av(vs.ChartModelView( + models.Chart, Session, name="Charts", category="Data Profiling")) av(vs.KnownEventView( models.KnownEvent, Session, name="Known Events", category="Data Profiling")) http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/21e94c7d/airflow/www/views.py ---------------------------------------------------------------------- diff --git a/airflow/www/views.py b/airflow/www/views.py index ad27238..bc63b5b 100644 --- a/airflow/www/views.py +++ b/airflow/www/views.py @@ -37,7 +37,8 @@ import sqlalchemy as sqla from sqlalchemy import or_, desc, and_, union_all from flask import ( - redirect, url_for, request, Markup, Response, current_app, render_template, make_response) + abort, redirect, url_for, request, Markup, Response, current_app, render_template, + make_response) from flask_admin import BaseView, expose, AdminIndexView from flask_admin.contrib.sqla import ModelView from flask_admin.actions import action @@ -299,6 +300,9 @@ class Airflow(BaseView): def chart_data(self): from airflow import macros import pandas as pd + if conf.getboolean('core', 'secure_mode'): + abort(404) + session = settings.Session() chart_id = request.args.get('chart_id') csv = request.args.get('csv') == "true" @@ -437,6 +441,9 @@ class Airflow(BaseView): @expose('/chart') @data_profiling_required def chart(self): + if conf.getboolean('core', 'secure_mode'): + abort(404) + session = settings.Session() chart_id = request.args.get('chart_id') embed = request.args.get('embed') http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/21e94c7d/scripts/ci/airflow_travis.cfg ---------------------------------------------------------------------- diff --git a/scripts/ci/airflow_travis.cfg b/scripts/ci/airflow_travis.cfg index 6827138..6a8db93 100644 --- a/scripts/ci/airflow_travis.cfg +++ b/scripts/ci/airflow_travis.cfg @@ -23,6 +23,7 @@ donot_pickle = False dag_concurrency = 16 dags_are_paused_at_creation = False default_impersonation = +secure_mode = False fernet_key = af7CN0q6ag5U3g08IsPsw3K45U7Xa0axgVFhoh-3zB8= [webserver]
