Hi All, Airflow out of the box comes without security configured. This goes for both the API and the UI. Currently, the API and the UI make use of different authentication backends due to the way authentication needed to be implemented. This should be better documented.
So while “the web ui is protected, thus automatically the API as well” is the ideal situation, it is not an oversight and “not something has gone wrong”. Some part of this is technical debt. Which we probably won’t solve until the move towards FlaskApplicationBuilder, hopefully not too far out. That being said we might choose to have an Rest API as a separate service from the WebUI. Cheers Bolke > On 30 Oct 2017, at 16:42, Ash Berlin-Taylor <[email protected]> > wrote: > > Oh gods. > > Something has gone wrong - the methods are decorated with > `@requires_authentication` but they... don't. Oh, because the default backend > doesn't do any authentication or protection at all. > > I thik this is CVEworthy - using the User+Password auth for the web front > end/using default config should not leave the API unprotected. I think the > default API auth backend should deny all rather than allow all? > > -ash > >> On 30 Oct 2017, at 08:51, Niels Zeilemaker >> <[email protected]> wrote: >> >> Hi All, >> >> I've implemented HTTP Basic Authentication for the experiment API, see >> https://github.com/apache/incubator-airflow/pull/2730. This seems to work >> fine. >> However, while implementing this. I noticed, to my surprise, that the >> experimental API was open even though we enabled Password authentication for >> the web-interface. >> This seems like a bug to me, as one would expect that the experimental API >> would use the same auth backend as the web-interface. >> >> Why did Airflow choose to split the authentication for the web-interface >> and experimental API? >> And if it's not possible to combine those, is it possible to lock down the >> experimental API if one chooses a non-default web-interface auth backend? >> >> Niels >> Ps with an unsecured experimental api it is possible to trigger dags, list >> pools, delete pools, etc. >
