[
https://issues.apache.org/jira/browse/AIRFLOW-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234151#comment-16234151
]
ASF subversion and git services commented on AIRFLOW-1765:
----------------------------------------------------------
Commit 0e27e1b209e77f22e79e00c2f2e3ab542195405c in incubator-airflow's branch
refs/heads/master from [~ashb]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=0e27e1b ]
[AIRFLOW-1765] Make experimental API securable without needing Kerberos.
Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of
deny-all.
Closes #2737 from ashb/exp-api-securable
> Default API auth backed should deny all.
> ----------------------------------------
>
> Key: AIRFLOW-1765
> URL: https://issues.apache.org/jira/browse/AIRFLOW-1765
> Project: Apache Airflow
> Issue Type: Improvement
> Components: api, authentication
> Affects Versions: 1.8.2
> Reporter: Ash Berlin-Taylor
> Priority: Major
> Labels: security
> Fix For: 1.9.0
>
>
> It has been discovered that the experimental API in the default configuration
> is not protected behind any authentication.
> This means that out of the box the Airflow webserver's /api/experimental/ can
> be requested by anyone, meaning pools can be updated/deleted and task
> instance variables can be read.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
