Victor created AIRFLOW-3095:
-------------------------------
Summary: Password Auth fails to forbid access when it should
Key: AIRFLOW-3095
URL: https://issues.apache.org/jira/browse/AIRFLOW-3095
Project: Apache Airflow
Issue Type: Bug
Components: authentication
Affects Versions: 1.10.0
Reporter: Victor
Hi,
I encountered the following very strange situation that looks like a big
security bug:
* I started a new instance of airflow with a database (using the puckel docker
image for the record) and with the airflow.contrib.auth.backends.password_auth
backend.
* I created a user on it by following
[https://airflow.apache.org/security.html#password]
* I connected to the instance with my browser and I was asked to login
* I logged on the airflow instance, played with it a bit,
* I destroyed the instance as well as its database
* I created a new instance, still with the
airflow.contrib.auth.backends.password_auth backend.
* I connected to the instance with my browser and I was NOT asked to login
even though there was no user created on it!
I think something is missing and the cookie of the browser (or whatever) is
reused and trusted as if it was enough to authenticate the user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
