This is an automated email from the ASF dual-hosted git repository. kaxilnaik pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit efe86e55f6af52f0eb0457625d7b92193b88a296 Author: Kaxil Naik <kaxiln...@gmail.com> AuthorDate: Wed Jul 1 22:59:13 2020 +0100 Update docs about the change to default auth for experimental API (#9617) (cherry picked from commit 7ef7f5880dfefc6e33cb7bf331927aa08e1bb438) --- docs/security.rst | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 863a454..3817c7f 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -159,15 +159,27 @@ only the dags which it is owner of, unless it is a superuser. API Authentication ------------------ -Authentication for the API is handled separately to the Web Authentication. The default is to not -require any authentication on the API i.e. wide open by default. This is not recommended if your -Airflow webserver is publicly accessible, and you should probably use the ``deny all`` backend: +Authentication for the API is handled separately to the Web Authentication. The default is to +deny all requests: .. code-block:: ini [api] auth_backend = airflow.api.auth.backend.deny_all +.. versionchanged:: 1.10.11 + + In Airflow <1.10.11, the default setting was to allow all API requests without authentication, but this + posed security risks for if the Webserver is publicly accessible. + +If you wish to have the experimental API work, and aware of the risks of enabling this without authentication +(or if you have your own authentication layer in front of Airflow) you can set the following in ``airflow.cfg``: + +.. code-block:: ini + + [api] + auth_backend = airflow.api.auth.backend.default + Two "real" methods for authentication are currently supported for the API. To enabled Password authentication, set the following in the configuration: