Hi Ash, I made a pull request moving the latest runs call to the web api.
https://github.com/apache/incubator-airflow/pull/2734 Niels Op 30 okt. 2017 4:58 p.m. schreef "Ash Berlin-Taylor" < [email protected]>: > It's available by default. > > https://github.com/apache/incubator-airflow/blob/ > 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144 < > https://github.com/apache/incubator-airflow/blob/ > 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144> > > And used in the web front end https://github.com/apache/ > incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c6 > 22af187fac/airflow/www/templates/airflow/dags.html#L299 < > https://github.com/apache/incubator-airflow/blob/ > 6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/ > templates/airflow/dags.html#L299> > > Does this need to be loaded via JSON? Couldn't that be info be sent on > initial page load without needing an extra page load? > > > On 30 Oct 2017, at 15:44, Andy Hadjigeorgiou <[email protected]> > wrote: > > > > Is this experimental API available by default, or does it need a > > configuration? > > > > On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor < > > [email protected]> wrote: > > > >> Oh gods. > >> > >> Something has gone wrong - the methods are decorated with > >> `@requires_authentication` but they... don't. Oh, because the default > >> backend doesn't do any authentication or protection at all. > >> > >> I thik this is CVEworthy - using the User+Password auth for the web > front > >> end/using default config should not leave the API unprotected. I think > the > >> default API auth backend should deny all rather than allow all? > >> > >> -ash > >> > >>> On 30 Oct 2017, at 08:51, Niels Zeilemaker < > >> [email protected]> wrote: > >>> > >>> Hi All, > >>> > >>> I've implemented HTTP Basic Authentication for the experiment API, see > >> https://github.com/apache/incubator-airflow/pull/2730. This seems to > work > >> fine. > >>> However, while implementing this. I noticed, to my surprise, that the > >> experimental API was open even though we enabled Password authentication > >> for the web-interface. > >>> This seems like a bug to me, as one would expect that the experimental > >> API would use the same auth backend as the web-interface. > >>> > >>> Why did Airflow choose to split the authentication for the > >> web-interface and experimental API? > >>> And if it's not possible to combine those, is it possible to lock down > >> the experimental API if one chooses a non-default web-interface auth > >> backend? > >>> > >>> Niels > >>> Ps with an unsecured experimental api it is possible to trigger dags, > >> list pools, delete pools, etc. > >> > >> > >
