You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/01/24 06:27:25 UTC
[GitHub] [airflow] iangcarroll opened a new pull request #13870: Add authentication to experimental API endpoint.
iangcarroll opened a new pull request #13870:
URL: https://github.com/apache/airflow/pull/13870
I couldn't find a good reason why this endpoint was missing the authentication decorator. This would likely break any clients calling this endpoint in an unauthenticated manner, but given it's not documented that it should be unauthenticated, I would imagine this is fine.
This might deserve a low-impact CVE. It looks like it went wrong in fbd994a, during a refactor of the stable API which seems unrelated to this endpoint.
---
**^ Add meaningful description above**
Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766314954
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest master or amend the last commit of the PR, and push it with --force-with-lease.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766304040
> Hi @XD-DENG, sure, I agree with that. However, it still exists, and if anyone has it enabled, they would be vulnerable to a security issue, as I do not see any other authorization check on this endpoint. This would be unexpected by anyone who has authentication configured for the experimental API.
>
> And, if anyone has set the `auth_backend` to `airflow.api.auth.backend.deny_all`, expecting it to disable the API, it would not apply to this endpoint.
Yep. Agree - if that is a regression, we should fix it - while the stable API is deprecated, we still support it in 2.0 and regressions should be fixed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on pull request #13870: Add authentication to lineage endpoint for experimental API
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-768598817
Awesome work, congrats on your first merged pull request!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] XD-DENG commented on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
XD-DENG commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766302032
Thanks @iangcarroll for this PR.
However please note this _experimental_ API is already deprecated (https://github.com/apache/airflow/blob/master/airflow/config_templates/default_airflow.cfg#L374), and we favour the _stable_ REST API.
Currently experimental API is disabled by default (https://github.com/apache/airflow/blob/master/UPDATING.md#the-experimental-rest-api-is-disabled-by-default), and I would suggest migrating away from it, instead of making any further change on it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk edited a comment on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
potiuk edited a comment on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766304165
@bolkedebruin -> I think that API was added by you, is there any reason why it should be kept unauthenticated? Can you please confirm this was an accidental removal?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766299858
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst)
Here are some useful points:
- Pay attention to the quality of your code (flake8, pylint and type annotations). Our [pre-commits]( https://github.com/apache/airflow/blob/master/STATIC_CODE_CHECKS.rst#prerequisites-for-pre-commit-hooks) will help you with that.
- In case of a new feature add useful documentation (in docstrings or in `docs/` directory). Adding a new operator? Check this short [guide](https://github.com/apache/airflow/blob/master/docs/apache-airflow/howto/custom-operator.rst) Consider adding an example DAG that shows how users should use it.
- Consider using [Breeze environment](https://github.com/apache/airflow/blob/master/BREEZE.rst) for testing locally, itโs a heavy docker but it ships with a working Airflow and a lot of integrations.
- Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
- Please follow [ASF Code of Conduct](https://www.apache.org/foundation/policies/conduct) for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
- Be sure to read the [Airflow Coding style]( https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#coding-style-and-best-practices).
Apache Airflow is a community-driven project and together we are making it better ๐.
In case of doubts contact the developers at:
Mailing List: dev@airflow.apache.org
Slack: https://s.apache.org/airflow-slack
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] iangcarroll edited a comment on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
iangcarroll edited a comment on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766303117
Hi @XD-DENG, sure, I agree with that. However, it still exists, and if anyone has it enabled, they would be vulnerable to a security issue, as I do not see any other authorization check on this endpoint. This would be unexpected by anyone who has authentication configured for the experimental API.
And, if anyone has set the `auth_backend` to `airflow.api.auth.backend.deny_all`, expecting it to disable the API, it would not apply to this endpoint.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk edited a comment on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
potiuk edited a comment on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766304165
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766304165
@bolkedebruin -> I think that API was added by you, is there any reason why it should be kept unauthenticated? Can you confirm this was an accidental removal?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] kaxil merged pull request #13870: Add authentication to lineage endpoint for experimental API
Posted by GitBox <gi...@apache.org>.
kaxil merged pull request #13870:
URL: https://github.com/apache/airflow/pull/13870
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] iangcarroll commented on pull request #13870: Add authentication to experimental API endpoint.
Posted by GitBox <gi...@apache.org>.
iangcarroll commented on pull request #13870:
URL: https://github.com/apache/airflow/pull/13870#issuecomment-766303117
Hi @XD-DENG, sure, I agree with that. However, it still exists, and if anyone has it enabled, they would be vulnerable to a security issue, as I do not see any other authorization check on this endpoint. This would be unexpected by anyone who has authentication configured for the experimental API.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org