FWIW I am hoping we can change this insecure-by-default for 2.0, and there is already some stuff in the Airflow config that lets you do this out of the box if you tweak a couple of config values (e.g. check out secure_mode that we can hopefully build upon).
On Mon, Oct 30, 2017 at 3:22 PM Bolke de Bruin <[email protected]> wrote: > Hi All, > > Airflow out of the box comes without security configured. This goes for > both the API and the UI. Currently, the API and the UI make use of > different authentication backends due to the way authentication needed to > be implemented. This should be better documented. > > So while “the web ui is protected, thus automatically the API as well” is > the ideal situation, it is not an oversight and “not something has gone > wrong”. > > Some part of this is technical debt. Which we probably won’t solve until > the move towards FlaskApplicationBuilder, hopefully not too far out. That > being said we might choose to have an Rest API as a separate service from > the WebUI. > > Cheers > Bolke > > > > > On 30 Oct 2017, at 16:42, Ash Berlin-Taylor < > [email protected]> wrote: > > > > Oh gods. > > > > Something has gone wrong - the methods are decorated with > `@requires_authentication` but they... don't. Oh, because the default > backend doesn't do any authentication or protection at all. > > > > I thik this is CVEworthy - using the User+Password auth for the web > front end/using default config should not leave the API unprotected. I > think the default API auth backend should deny all rather than allow all? > > > > -ash > > > >> On 30 Oct 2017, at 08:51, Niels Zeilemaker < > [email protected]> wrote: > >> > >> Hi All, > >> > >> I've implemented HTTP Basic Authentication for the experiment API, see > https://github.com/apache/incubator-airflow/pull/2730. This seems to work > fine. > >> However, while implementing this. I noticed, to my surprise, that the > experimental API was open even though we enabled Password authentication > for the web-interface. > >> This seems like a bug to me, as one would expect that the experimental > API would use the same auth backend as the web-interface. > >> > >> Why did Airflow choose to split the authentication for the > web-interface and experimental API? > >> And if it's not possible to combine those, is it possible to lock down > the experimental API if one chooses a non-default web-interface auth > backend? > >> > >> Niels > >> Ps with an unsecured experimental api it is possible to trigger dags, > list pools, delete pools, etc. > > > >
