Is this experimental API available by default, or does it need a configuration?
On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor < [email protected]> wrote: > Oh gods. > > Something has gone wrong - the methods are decorated with > `@requires_authentication` but they... don't. Oh, because the default > backend doesn't do any authentication or protection at all. > > I thik this is CVEworthy - using the User+Password auth for the web front > end/using default config should not leave the API unprotected. I think the > default API auth backend should deny all rather than allow all? > > -ash > > > On 30 Oct 2017, at 08:51, Niels Zeilemaker < > [email protected]> wrote: > > > > Hi All, > > > > I've implemented HTTP Basic Authentication for the experiment API, see > https://github.com/apache/incubator-airflow/pull/2730. This seems to work > fine. > > However, while implementing this. I noticed, to my surprise, that the > experimental API was open even though we enabled Password authentication > for the web-interface. > > This seems like a bug to me, as one would expect that the experimental > API would use the same auth backend as the web-interface. > > > > Why did Airflow choose to split the authentication for the > web-interface and experimental API? > > And if it's not possible to combine those, is it possible to lock down > the experimental API if one chooses a non-default web-interface auth > backend? > > > > Niels > > Ps with an unsecured experimental api it is possible to trigger dags, > list pools, delete pools, etc. > >
