This is an automated email from the ASF dual-hosted git repository. kaxilnaik pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 89329c4ac4e98f479003b217981dc4dfde2bf661 Author: Ash Berlin-Taylor <ash_git...@firemirror.com> AuthorDate: Wed Jul 1 17:04:35 2020 +0100 Change default auth for experimental backend to deny_all (#9611) In a move that should surprise no one, a number of users do not read, and leave the API wide open by default. Safe is better than powned (cherry picked from commit 9e305d6b810a2a21e2591a80a80ec41acb3afed0) --- UPDATING.md | 16 ++++++++++++++++ airflow/config_templates/config.yml | 6 ++++-- airflow/config_templates/default_airflow.cfg | 6 ++++-- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/UPDATING.md b/UPDATING.md index 3dfda58..ec193f9 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -73,6 +73,22 @@ Before 1.10.11 it was possible to edit DagRun State in the `/admin/dagrun/` page In Airflow 1.10.11+, the user can only choose the states from the list. +### Experimental API will deny all request by default. + +The previous default setting was to allow all API requests without authentication, but this poses security +risks to users who miss this fact. This changes the default for new installs to deny all requests by default. + +**Note**: This will not change the behavior for existing installs, please update check your airflow.cfg + +If you wish to have the experimental API work, and aware of the risks of enabling this without authentication +(or if you have your own authentication layer in front of Airflow) you can get +the previous behaviour on a new install by setting this in your airflow.cfg: + +``` +[api] +auth_backend = airflow.api.auth.backend.default +``` + ## Airflow 1.10.10 ### Setting Empty string to a Airflow Variable will return an empty string diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index f632cd5..0d52426 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -524,11 +524,13 @@ options: - name: auth_backend description: | - How to authenticate users of the API + How to authenticate users of the API. See + https://airflow.apache.org/docs/stable/security.html for possible values. + ("airflow.api.auth.backend.default" allows all requests for historic reasons) version_added: ~ type: string example: ~ - default: "airflow.api.auth.backend.default" + default: "airflow.api.auth.backend.deny_all" - name: lineage description: ~ options: diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index a061d46..63bd3cb 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -274,8 +274,10 @@ endpoint_url = http://localhost:8080 fail_fast = False [api] -# How to authenticate users of the API -auth_backend = airflow.api.auth.backend.default +# How to authenticate users of the API. See +# https://airflow.apache.org/docs/stable/security.html for possible values. +# ("airflow.api.auth.backend.default" allows all requests for historic reasons) +auth_backend = airflow.api.auth.backend.deny_all [lineage] # what lineage backend to use