XD-DENG commented on a change in pull request #4166: [AIRFLOW-3323] Support
HTTP basic authentication for Airflow Flower
URL: https://github.com/apache/incubator-airflow/pull/4166#discussion_r232996615
##########
File path: docs/security.rst
##########
@@ -402,3 +402,22 @@ not set.
[core]
default_impersonation = airflow
+
+
+Flower Authentication
+---------------------
+
+Basic authentication for Celery Flower is supported.
+
+You can specify the details either as an optional argument in the Flower
process launching
+command, or as a configuration item in your ``airflow.cfg``. For both cases,
please provide
+`user:password` pairs separated by a comma.
+
+.. code-block:: bash
+
+ airflow flower --basic_auth=user1:password1,user2:password2
Review comment:
Nice point! It’s raw password though.
The reason I would like to use to “argue” is that this is how Flower itself
works (please refer to Flower doc
https://flower.readthedocs.io/en/latest/auth.html).
No matter if we’re running Flower for Airflow or other Celery project, as
long as we’re using this http basic authentication, everything will be exposed
in ps output.
I think we are assuming that nobody except Admin or Op should have access to
the server or pod running Flower process, then ps output is also somehow safe.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
