Hi All, I've implemented HTTP Basic Authentication for the experiment API, see https://github.com/apache/incubator-airflow/pull/2730. This seems to work fine. However, while implementing this. I noticed, to my surprise, that the experimental API was open even though we enabled Password authentication for the web-interface. This seems like a bug to me, as one would expect that the experimental API would use the same auth backend as the web-interface.
Why did Airflow choose to split the authentication for the web-interface and experimental API? And if it's not possible to combine those, is it possible to lock down the experimental API if one chooses a non-default web-interface auth backend? Niels Ps with an unsecured experimental api it is possible to trigger dags, list pools, delete pools, etc.
