You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (JIRA)" <ji...@apache.org> on 2019/04/24 12:04:00 UTC
[jira] [Closed] (AIRFLOW-3095) Password Auth fails to forbid access
when it should
[ https://issues.apache.org/jira/browse/AIRFLOW-3095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ash Berlin-Taylor closed AIRFLOW-3095.
--------------------------------------
Resolution: Not A Bug
> Password Auth fails to forbid access when it should
> ---------------------------------------------------
>
> Key: AIRFLOW-3095
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3095
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Affects Versions: 1.10.0
> Reporter: Victor
> Priority: Major
> Labels: security
>
> Hi,
>
> I encountered the following very strange situation that looks like a big security bug:
> * I started a new instance of airflow with a database (using the puckel docker image for the record) and with the airflow.contrib.auth.backends.password_auth backend.
> * I created a user on it by following [https://airflow.apache.org/security.html#password]
> * I connected to the instance with my browser and I was asked to login
> * I logged on the airflow instance, played with it a bit,
> * I destroyed the instance as well as its database
> * I created a new instance, still with the airflow.contrib.auth.backends.password_auth backend.
> * I connected to the instance with my browser and I was NOT asked to login even though there was no user created on it!
> I think something is missing and the cookie of the browser (or whatever) is reused and trusted as if it was enough to authenticate the user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)