[
https://issues.apache.org/jira/browse/AIRFLOW-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234152#comment-16234152
]
ASF subversion and git services commented on AIRFLOW-1765:
----------------------------------------------------------
Commit 6ecdac701c336da69cccfee2016e9a4f6e90558c in incubator-airflow's branch
refs/heads/v1-9-test from [~ashb]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=6ecdac7 ]
[AIRFLOW-1765] Make experimental API securable without needing Kerberos.
Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of
deny-all.
Closes #2737 from ashb/exp-api-securable
(cherry picked from commit 0e27e1b209e77f22e79e00c2f2e3ab542195405c)
Signed-off-by: Bolke de Bruin <[email protected]>
> Default API auth backed should deny all.
> ----------------------------------------
>
> Key: AIRFLOW-1765
> URL: https://issues.apache.org/jira/browse/AIRFLOW-1765
> Project: Apache Airflow
> Issue Type: Improvement
> Components: api, authentication
> Affects Versions: 1.8.2
> Reporter: Ash Berlin-Taylor
> Priority: Major
> Labels: security
> Fix For: 1.9.0
>
>
> It has been discovered that the experimental API in the default configuration
> is not protected behind any authentication.
> This means that out of the box the Airflow webserver's /api/experimental/ can
> be requested by anyone, meaning pools can be updated/deleted and task
> instance variables can be read.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
