Skip to content

Change default auth for experimental backend to deny_all #9611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 1, 2020
Merged

Change default auth for experimental backend to deny_all #9611

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions UPDATING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1425,6 +1425,22 @@ Now the `dag_id` will not appear repeated in the payload, and the response forma
}
```

### Experimental API will deny all request by default.

The previous default setting was to allow all API requests without authentication, but this poses security
risks to users who miss this fact. This changes the default for new installs to deny all requests by default.

**Note**: This will not change the behavior for existing installs, please update check your airflow.cfg

If you wish to have the experimental API work, and aware of the risks of enabling this without authentication
(or if you have your own authentication layer in front of Airflow) you can get
the previous behaviour on a new install by setting this in your airflow.cfg:

```
[api]
auth_backend = airflow.api.auth.backend.default
```

## Airflow 1.10.10

### Setting Empty string to a Airflow Variable will return an empty string
Expand Down
6 changes: 4 additions & 2 deletions airflow/config_templates/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,11 +574,13 @@
options:
- name: auth_backend
description: |
How to authenticate users of the API
How to authenticate users of the API. See
https://airflow.apache.org/docs/stable/security.html for possible values.
("airflow.api.auth.backend.default" allows all requests for historic reasons)
version_added: ~
type: string
example: ~
default: "airflow.api.auth.backend.default"
default: "airflow.api.auth.backend.deny_all"
- name: lineage
description: ~
options:
Expand Down
6 changes: 4 additions & 2 deletions airflow/config_templates/default_airflow.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,8 +311,10 @@ endpoint_url = http://localhost:8080
fail_fast = False

[api]
# How to authenticate users of the API
auth_backend = airflow.api.auth.backend.default
# How to authenticate users of the API. See
# https://airflow.apache.org/docs/stable/security.html for possible values.
# ("airflow.api.auth.backend.default" allows all requests for historic reasons)
auth_backend = airflow.api.auth.backend.deny_all

[lineage]
# what lineage backend to use
Expand Down