There needs to be a way to disable the banner IMO On Thu, Mar 27, 2025 at 10:20 AM Kaxil Naik <kaxiln...@gmail.com> wrote:
> message cut: > > I am fine with Option (1) given the current time constraints and since it > is for dev only and can be iterated in follow-up releases > > > On Thu, 27 Mar 2025 at 22:47, Kaxil Naik <kaxiln...@gmail.com> wrote: > > > I am fine with Option (1) imo > > > > On Thu, 27 Mar 2025 at 22:05, Vincent Beck <vincb...@apache.org> wrote: > > > >> Following back on that thread (I should probably have called it out > >> during the Airflow 3 dev call). We have two options: > >> - Option 1: update the banner with a friendlier message > >> - Option 2: resolve the security issue to make SAM production > compatible > >> and remove the banner > >> > >> Any preference on which option we should go with? > >> > >> On 2025/03/24 16:52:11 "Oliveira, Niko" wrote: > >> > Agreed, I think combining the two will make SAM not so simple. But we > >> should definitely have an open source, easy to acquire option for > people to > >> use that has all the bells and whistles that SAM does not have. And > >> KeyCloack is a decent option for this! > >> > > >> > ________________________________ > >> > From: Vincent Beck <vincb...@apache.org> > >> > Sent: Monday, March 24, 2025 6:04:42 AM > >> > To: dev@airflow.apache.org > >> > Subject: RE: [EXT] [DISCUSS] confusing alert re SimpleAuthManager > >> > > >> > CAUTION: This email originated from outside of the organization. Do > not > >> click links or open attachments unless you can confirm the sender and > know > >> the content is safe. > >> > > >> > > >> > > >> > AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur > >> externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si > vous > >> ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas > >> certain que le contenu ne présente aucun risque. > >> > > >> > > >> > > >> > I do not think integrating KeyCloak with SAM is a great idea. Having a > >> separate auth manager specific to KeyCloak is, on the other side, a good > >> idea. We should keep SAM simple as it is. I also do not think making it > >> secure require a lot of work so I do not think it is worth having a > >> development and production mode. > >> > > >> > On 2025/03/21 21:52:13 Buğra Öztürk wrote: > >> > > Giving users a warning sounds good. > >> > > I agree with Pierre, too. How about defining the rules set to be > >> secure by > >> > > design? Or just following up on a pattern without discovering > >> something > >> > > new? Could you please elaborate on Jarek? > >> > > > >> > > *TLDR* > >> > > It may be a slight implementation detail and just a thought, but we > >> could > >> > > integrate Keycloak into the SAM, providing development and > production > >> modes > >> > > with configurations such as breeze dev and installation prod. I > >> believe > >> > > that instead of maintaining an application to always be secure by > >> default, > >> > > we can focus on maintaining integration within SAM. > >> > > > >> > > On Fri, Mar 21, 2025 at 7:28 PM Vincent Beck <vincb...@apache.org> > >> wrote: > >> > > > >> > > > We could simply stop printing out these passwords. Passwords are > >> auto > >> > > > generated if not already defined in a file configured in `[core] > >> > > > simple_auth_manager_passwords_file`. So the user can see these > >> passwords by > >> > > > opening this file. We could (if it is not considered as > unsecured?) > >> print > >> > > > out the filename in the stdout so that the user can click on it > and > >> see the > >> > > > passwords only if some passwords changed. > >> > > > > >> > > > On 2025/03/21 18:03:19 Jarek Potiuk wrote: > >> > > > > Well.. Actually Pierre is quite right. While we have not > intended > >> Simple > >> > > > > Auth Manager for production it **could** be used. > >> > > > > > >> > > > > However we would have to carefully think what to do with default > >> > > > passwords > >> > > > > etc. Currently a lot of warnings in CodeQL were about "writing > >> sensitive > >> > > > > information to logs" - and a lot of that is about SAM (nice > >> acronym BTW) > >> > > > > writing the generated passwords to logs and stdout. And I > >> dismissed it as > >> > > > > "Used in tests" for SAM cases. > >> > > > > > >> > > > > So if we decide to use it, we need to decide how to deal with > the > >> > > > password > >> > > > > generation and default users. We should follow (and this in the > >> future > >> > > > will > >> > > > > be even mandated by various regulations like CRA) is "secure by > >> default". > >> > > > > Which means that default installation MUST be secure. Once we > >> solve > >> > > > this, I > >> > > > > am fine with using SAM in production > >> > > > > > >> > > > > J. > >> > > > > > >> > > > > > >> > > > > On Fri, Mar 21, 2025 at 6:27 PM Pierre Jeambrun < > >> pierrejb...@gmail.com> > >> > > > > wrote: > >> > > > > > >> > > > > > Is it really wrong to use the SimpleAuthManager in production > ? > >> To my > >> > > > > > knowledge it lacks a lot of features such as user management > >> and the > >> > > > > > permission model is really simplistic, but maybe some > >> installations > >> > > > don’t > >> > > > > > need the fancy Auth stuff ? > >> > > > > > > >> > > > > > Instead of being a scary warning that could be just an info > >> block, with > >> > > > > > details and mention of other Auth Manager in case more use > >> cases need > >> > > > to be > >> > > > > > supported. (Or link to doc etc) > >> > > > > > > >> > > > > > Also we can easily add a “don’t show again” box or something > >> like that, > >> > > > > > stored on the client side and remove the message if chosen by > >> the > >> > > > user. (Or > >> > > > > > even a global config setting for all users). > >> > > > > > > >> > > > > > On Fri 21 Mar 2025 at 16:03, Vincent Beck < > vincb...@apache.org> > >> wrote: > >> > > > > > > >> > > > > > > This alert can be definitely improved. I do think we should > >> have it > >> > > > and > >> > > > > > we > >> > > > > > > should not remove it. If you have some proposals, please > feel > >> free to > >> > > > > > > create a PR, I'll be happy to review. Mentioning the other > >> auth > >> > > > managers > >> > > > > > as > >> > > > > > > alternatives is, I think, a great idea. > >> > > > > > > > >> > > > > > > On 2025/03/21 07:20:26 Amogh Desai wrote: > >> > > > > > > > Hmmm, I wonder if it can instead be made clearer. > Something > >> like > >> > > > this? > >> > > > > > > > > >> > > > > > > > *Simple Auth Manager Enabled.* > >> > > > > > > > *The Simple Auth Manager is intended for development and > >> testing. > >> > > > If > >> > > > > > > you're > >> > > > > > > > using it in production, ensure that access is controlled > >> through > >> > > > other > >> > > > > > > > means. * > >> > > > > > > > *<link some doc>* > >> > > > > > > > > >> > > > > > > > Thanks & Regards, > >> > > > > > > > Amogh Desai > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > On Thu, Mar 20, 2025 at 11:58 PM Daniel Standish > >> > > > > > > > <daniel.stand...@astronomer.io.invalid> wrote: > >> > > > > > > > > >> > > > > > > > > I'm saying, sounds confusing! > >> > > > > > > > > > >> > > > > > > > > On Thu, Mar 20, 2025 at 11:27 AM < > consta...@astronomer.io > >> > > > .invalid> > >> > > > > > > wrote: > >> > > > > > > > > > >> > > > > > > > > > Sounds great! Do we have something in the config > linter > >> to > >> > > > > > highlight > >> > > > > > > this > >> > > > > > > > > > change? > >> > > > > > > > > > > >> > > > > > > > > > > On Mar 20, 2025, at 11:19 PM, Daniel Standish > >> > > > > > > > > > <daniel.stand...@astronomer.io.invalid> wrote: > >> > > > > > > > > > > > >> > > > > > > > > > > It says this: > >> > > > > > > > > > > > >> > > > > > > > > > > Development-only auth manager configured > >> > > > > > > > > > > The auth manager configured in your environment is > >> the Simple > >> > > > > > Auth > >> > > > > > > > > > Manager, > >> > > > > > > > > > > which is intended for development use only. It is > not > >> > > > suitable > >> > > > > > for > >> > > > > > > > > > > production and should not be used in a production > >> > > > environment. > >> > > > > > > > > > > > >> > > > > > > > > > >> On Thu, Mar 20, 2025 at 10:48 AM Jarek Potiuk < > >> > > > ja...@potiuk.com > >> > > > > > > > >> > > > > > > > > wrote: > >> > > > > > > > > > >> > >> > > > > > > > > > >> What's the alert - at least for me it did not get > >> through > >> > > > > > > > > > >> > >> > > > > > > > > > >> On Thu, Mar 20, 2025 at 6:33 PM Daniel Standish > >> > > > > > > > > > >> <daniel.stand...@astronomer.io.invalid> wrote: > >> > > > > > > > > > >> > >> > > > > > > > > > >>> I should add, the import here is, many users who > >> never > >> > > > > > customized > >> > > > > > > > > auth > >> > > > > > > > > > >>> before will now see this message and not really > >> have a clue > >> > > > > > what > >> > > > > > > they > >> > > > > > > > > > are > >> > > > > > > > > > >>> supposed to do, and I think it will probably > create > >> a good > >> > > > > > > amount of > >> > > > > > > > > > >>> confusion. > >> > > > > > > > > > >>> > >> > > > > > > > > > >>> On Thu, Mar 20, 2025 at 10:27 AM Daniel Standish < > >> > > > > > > > > > >>> daniel.stand...@astronomer.io> wrote: > >> > > > > > > > > > >>> > >> > > > > > > > > > >>>> I just saw this when spinning up airflow > >> > > > > > > > > > >>>> > >> > > > > > > > > > >>>> [image: image.png] > >> > > > > > > > > > >>>> > >> > > > > > > > > > >>>> I think the message is confusing / misleading / > >> not very > >> > > > > > > helpful. > >> > > > > > > > > > >>>> > >> > > > > > > > > > >>>> There's nothing necessarily wrong with having > >> simple auth > >> > > > or > >> > > > > > no > >> > > > > > > auth > >> > > > > > > > > > if > >> > > > > > > > > > >>>> you control access some other way. Moreover we > >> don't tell > >> > > > > > users > >> > > > > > > > > what > >> > > > > > > > > > >> they > >> > > > > > > > > > >>>> should do instead! > >> > > > > > > > > > >>>> > >> > > > > > > > > > >>>> So I think we should either remove this bubble or > >> add more > >> > > > > > > nuance > >> > > > > > > > > and > >> > > > > > > > > > >>>> point them in a direction that will lead them to > >> what we > >> > > > *do* > >> > > > > > > > > > recommend. > >> > > > > > > > > > >>>> > >> > > > > > > > > > >>>> > >> > > > > > > > > > >> > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > >> --------------------------------------------------------------------- > >> > > > > > > > > > To unsubscribe, e-mail: > >> dev-unsubscr...@airflow.apache.org > >> > > > > > > > > > For additional commands, e-mail: > >> dev-h...@airflow.apache.org > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > >> --------------------------------------------------------------------- > >> > > > > > > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > >> > > > > > > For additional commands, e-mail: > dev-h...@airflow.apache.org > >> > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > >> --------------------------------------------------------------------- > >> > > > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > >> > > > For additional commands, e-mail: dev-h...@airflow.apache.org > >> > > > > >> > > > > >> > > > >> > > -- > >> > > Bugra Ozturk > >> > > > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > >> > For additional commands, e-mail: dev-h...@airflow.apache.org > >> > > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > >> For additional commands, e-mail: dev-h...@airflow.apache.org > >> > >> >
