[
https://issues.apache.org/jira/browse/AIRFLOW-3323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685319#comment-16685319
]
ASF GitHub Bot commented on AIRFLOW-3323:
-----------------------------------------
ashb closed pull request #4166: [AIRFLOW-3323] Support HTTP basic
authentication for Airflow Flower
URL: https://github.com/apache/incubator-airflow/pull/4166
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/bin/cli.py b/airflow/bin/cli.py
index cfc6c6b8d6..5ddac2f886 100644
--- a/airflow/bin/cli.py
+++ b/airflow/bin/cli.py
@@ -1276,6 +1276,10 @@ def flower(args):
if args.url_prefix:
url_prefix = '--url-prefix=' + args.url_prefix
+ basic_auth = ''
+ if args.basic_auth:
+ basic_auth = '--basic_auth=' + args.basic_auth
+
flower_conf = ''
if args.flower_conf:
flower_conf = '--conf=' + args.flower_conf
@@ -1297,7 +1301,7 @@ def flower(args):
with ctx:
os.execvp("flower", ['flower', '-b',
- broka, address, port, api, flower_conf,
url_prefix])
+ broka, address, port, api, flower_conf,
url_prefix, basic_auth])
stdout.close()
stderr.close()
@@ -1306,7 +1310,7 @@ def flower(args):
signal.signal(signal.SIGTERM, sigint_handler)
os.execvp("flower", ['flower', '-b',
- broka, address, port, api, flower_conf,
url_prefix])
+ broka, address, port, api, flower_conf,
url_prefix, basic_auth])
@cli_utils.action_logging
@@ -1823,6 +1827,12 @@ class CLIFactory(object):
("-u", "--url_prefix"),
default=conf.get('celery', 'FLOWER_URL_PREFIX'),
help="URL prefix for Flower"),
+ 'flower_basic_auth': Arg(
+ ("-ba", "--basic_auth"),
+ default=conf.get('celery', 'FLOWER_BASIC_AUTH'),
+ help=("Securing Flower with Basic Authentication. "
+ "Accepts user:password pairs separated by a comma. "
+ "Example: flower_basic_auth =
user1:password1,user2:password2")),
'task_params': Arg(
("-tp", "--task_params"),
help="Sends a JSON params dict to the task"),
@@ -2070,7 +2080,7 @@ class CLIFactory(object):
'func': flower,
'help': "Start a Celery Flower",
'args': ('flower_hostname', 'flower_port', 'flower_conf',
'flower_url_prefix',
- 'broker_api', 'pid', 'daemon', 'stdout', 'stderr',
'log_file'),
+ 'flower_basic_auth', 'broker_api', 'pid', 'daemon',
'stdout', 'stderr', 'log_file'),
}, {
'func': version,
'help': "Show the version",
diff --git a/airflow/config_templates/default_airflow.cfg
b/airflow/config_templates/default_airflow.cfg
index 5c2d2e1512..4d73fdf51d 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -392,6 +392,11 @@ flower_url_prefix =
# This defines the port that Celery Flower runs on
flower_port = 5555
+# Securing Flower with Basic Authentication
+# Accepts user:password pairs separated by a comma
+# Example: flower_basic_auth = user1:password1,user2:password2
+flower_basic_auth =
+
# Default queue that tasks get assigned to and that worker listen on.
default_queue = default
diff --git a/docs/security.rst b/docs/security.rst
index c14cd1c2c3..e332221347 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -402,3 +402,22 @@ not set.
[core]
default_impersonation = airflow
+
+
+Flower Authentication
+---------------------
+
+Basic authentication for Celery Flower is supported.
+
+You can specify the details either as an optional argument in the Flower
process launching
+command, or as a configuration item in your ``airflow.cfg``. For both cases,
please provide
+`user:password` pairs separated by a comma.
+
+.. code-block:: bash
+
+ airflow flower --basic_auth=user1:password1,user2:password2
+
+.. code-block:: bash
+
+ [celery]
+ flower_basic_auth = user1:password1,user2:password2
diff --git a/scripts/ci/kubernetes/kube/configmaps.yaml
b/scripts/ci/kubernetes/kube/configmaps.yaml
index ab44931e59..93a6364f86 100644
--- a/scripts/ci/kubernetes/kube/configmaps.yaml
+++ b/scripts/ci/kubernetes/kube/configmaps.yaml
@@ -253,6 +253,11 @@ data:
# This defines the port that Celery Flower runs on
flower_port = 5555
+ # Securing Flower with Basic Authentication
+ # Accepts user:password pairs separated by a comma
+ # Example: flower_basic_auth = user1:password1,user2:password2
+ flower_basic_auth =
+
# Default queue that tasks get assigned to and that worker listen on.
default_queue = default
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Support Basic Authentication for Flower
> ---------------------------------------
>
> Key: AIRFLOW-3323
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3323
> Project: Apache Airflow
> Issue Type: New Feature
> Components: celery
> Affects Versions: 1.10.0
> Reporter: Xiaodong DENG
> Assignee: Xiaodong DENG
> Priority: Critical
> Fix For: 2.0.0
>
>
> The current `airflow flower` doesn't come with any authentication. This may
> make essential information exposed to in an untrusted environment.
> Currently Flower itself supports
> * HTTP Basic Authentication
> * Google OAuth 2.0
> * GitHub OAuth
> Given Flower is not really the most essential component of Airflow, we don't
> have to support all its authentication methods. But may be good to at least
> support Basic Authentication.
>
> This ticket adds support to Basic Authentication for `Airflow Flower`.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
