Oh gods. Something has gone wrong - the methods are decorated with `@requires_authentication` but they... don't. Oh, because the default backend doesn't do any authentication or protection at all.
I thik this is CVEworthy - using the User+Password auth for the web front end/using default config should not leave the API unprotected. I think the default API auth backend should deny all rather than allow all? -ash > On 30 Oct 2017, at 08:51, Niels Zeilemaker <[email protected]> > wrote: > > Hi All, > > I've implemented HTTP Basic Authentication for the experiment API, see > https://github.com/apache/incubator-airflow/pull/2730. This seems to work > fine. > However, while implementing this. I noticed, to my surprise, that the > experimental API was open even though we enabled Password authentication for > the web-interface. > This seems like a bug to me, as one would expect that the experimental API > would use the same auth backend as the web-interface. > > Why did Airflow choose to split the authentication for the web-interface and > experimental API? > And if it's not possible to combine those, is it possible to lock down the > experimental API if one chooses a non-default web-interface auth backend? > > Niels > Ps with an unsecured experimental api it is possible to trigger dags, list > pools, delete pools, etc.
