Ash Berlin-Taylor created AIRFLOW-1765:
------------------------------------------
Summary: Default API auth backed should deny all.
Key: AIRFLOW-1765
URL: https://issues.apache.org/jira/browse/AIRFLOW-1765
Project: Apache Airflow
Issue Type: Bug
Components: api, authentication
Affects Versions: 1.8.2
Reporter: Ash Berlin-Taylor
Priority: Critical
Fix For: 1.9.0
It has been discovered that the experimental API in the default configuration
is not protected behind any authentication.
This means that out of the box the Airflow webserver's /api/experimental/ can
be requested by anyone, meaning pools can be updated/deleted and task instance
variables can be read.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
