It's available by default. https://github.com/apache/incubator-airflow/blob/21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144 <https://github.com/apache/incubator-airflow/blob/21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144>
And used in the web front end https://github.com/apache/incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/templates/airflow/dags.html#L299 <https://github.com/apache/incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/templates/airflow/dags.html#L299> Does this need to be loaded via JSON? Couldn't that be info be sent on initial page load without needing an extra page load? > On 30 Oct 2017, at 15:44, Andy Hadjigeorgiou <[email protected]> wrote: > > Is this experimental API available by default, or does it need a > configuration? > > On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor < > [email protected]> wrote: > >> Oh gods. >> >> Something has gone wrong - the methods are decorated with >> `@requires_authentication` but they... don't. Oh, because the default >> backend doesn't do any authentication or protection at all. >> >> I thik this is CVEworthy - using the User+Password auth for the web front >> end/using default config should not leave the API unprotected. I think the >> default API auth backend should deny all rather than allow all? >> >> -ash >> >>> On 30 Oct 2017, at 08:51, Niels Zeilemaker < >> [email protected]> wrote: >>> >>> Hi All, >>> >>> I've implemented HTTP Basic Authentication for the experiment API, see >> https://github.com/apache/incubator-airflow/pull/2730. This seems to work >> fine. >>> However, while implementing this. I noticed, to my surprise, that the >> experimental API was open even though we enabled Password authentication >> for the web-interface. >>> This seems like a bug to me, as one would expect that the experimental >> API would use the same auth backend as the web-interface. >>> >>> Why did Airflow choose to split the authentication for the >> web-interface and experimental API? >>> And if it's not possible to combine those, is it possible to lock down >> the experimental API if one chooses a non-default web-interface auth >> backend? >>> >>> Niels >>> Ps with an unsecured experimental api it is possible to trigger dags, >> list pools, delete pools, etc. >> >>
