Good work! Oh, /dag_stats and /task_stats were un-authenticated before too. Not disasterous but not great.
-ash > On 30 Oct 2017, at 16:01, Niels Zeilemaker <[email protected]> wrote: > > Hi Ash, > > I made a pull request moving the latest runs call to the web api. > > https://github.com/apache/incubator-airflow/pull/2734 > > Niels > > Op 30 okt. 2017 4:58 p.m. schreef "Ash Berlin-Taylor" < > [email protected]>: > >> It's available by default. >> >> https://github.com/apache/incubator-airflow/blob/ >> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144 < >> https://github.com/apache/incubator-airflow/blob/ >> 21e94c7d1594c5e0806d9e1ae1205a41bf98b5d3/airflow/www/app.py#L144> >> >> And used in the web front end https://github.com/apache/ >> incubator-airflow/blob/6a9ee0e045cbd14e8b6e70341135c6 >> 22af187fac/airflow/www/templates/airflow/dags.html#L299 < >> https://github.com/apache/incubator-airflow/blob/ >> 6a9ee0e045cbd14e8b6e70341135c622af187fac/airflow/www/ >> templates/airflow/dags.html#L299> >> >> Does this need to be loaded via JSON? Couldn't that be info be sent on >> initial page load without needing an extra page load? >> >>> On 30 Oct 2017, at 15:44, Andy Hadjigeorgiou <[email protected]> >> wrote: >>> >>> Is this experimental API available by default, or does it need a >>> configuration? >>> >>> On Mon, Oct 30, 2017 at 11:42 AM, Ash Berlin-Taylor < >>> [email protected]> wrote: >>> >>>> Oh gods. >>>> >>>> Something has gone wrong - the methods are decorated with >>>> `@requires_authentication` but they... don't. Oh, because the default >>>> backend doesn't do any authentication or protection at all. >>>> >>>> I thik this is CVEworthy - using the User+Password auth for the web >> front >>>> end/using default config should not leave the API unprotected. I think >> the >>>> default API auth backend should deny all rather than allow all? >>>> >>>> -ash >>>> >>>>> On 30 Oct 2017, at 08:51, Niels Zeilemaker < >>>> [email protected]> wrote: >>>>> >>>>> Hi All, >>>>> >>>>> I've implemented HTTP Basic Authentication for the experiment API, see >>>> https://github.com/apache/incubator-airflow/pull/2730. This seems to >> work >>>> fine. >>>>> However, while implementing this. I noticed, to my surprise, that the >>>> experimental API was open even though we enabled Password authentication >>>> for the web-interface. >>>>> This seems like a bug to me, as one would expect that the experimental >>>> API would use the same auth backend as the web-interface. >>>>> >>>>> Why did Airflow choose to split the authentication for the >>>> web-interface and experimental API? >>>>> And if it's not possible to combine those, is it possible to lock down >>>> the experimental API if one chooses a non-default web-interface auth >>>> backend? >>>>> >>>>> Niels >>>>> Ps with an unsecured experimental api it is possible to trigger dags, >>>> list pools, delete pools, etc. >>>> >>>> >> >>
