You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by je...@apache.org on 2022/04/21 16:37:27 UTC

[airflow] branch main updated: Change `[api] auth_backends` to be comma separated (#23138)

This is an automated email from the ASF dual-hosted git repository.

jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new a7bccaacb9 Change `[api] auth_backends` to be comma separated (#23138)
a7bccaacb9 is described below

commit a7bccaacb9a35ed6dcd4c1cadda4b8f294332722
Author: Jed Cunningham <66...@users.noreply.github.com>
AuthorDate: Thu Apr 21 10:37:15 2022 -0600

    Change `[api] auth_backends` to be comma separated (#23138)
    
    I could infer that this config accepted more than 1 value, but it wasn't
    obvious how it was split. This makes it match our other multi-value
    config options, plus adds it to the docs.
    
    This also fixes the docs link referenced in config.
---
 airflow/api/__init__.py                      | 4 ++--
 airflow/config_templates/config.yml          | 4 ++--
 airflow/config_templates/default_airflow.cfg | 4 ++--
 airflow/configuration.py                     | 2 +-
 airflow/www/extensions/init_security.py      | 2 +-
 docs/apache-airflow/security/api.rst         | 6 +++---
 tests/api_connexion/test_auth.py             | 2 +-
 tests/core/test_configuration.py             | 2 +-
 8 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/airflow/api/__init__.py b/airflow/api/__init__.py
index a9c7619e64..da07429869 100644
--- a/airflow/api/__init__.py
+++ b/airflow/api/__init__.py
@@ -34,9 +34,9 @@ def load_auth():
         pass
 
     backends = []
-    for backend in auth_backends.split():
+    for backend in auth_backends.split(","):
         try:
-            auth = import_module(backend)
+            auth = import_module(backend.strip())
             log.info("Loaded API auth backend: %s", backend)
             backends.append(auth)
         except ImportError as err:
diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 15ba71917a..c4898b4555 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -826,8 +826,8 @@
       default: "False"
     - name: auth_backends
       description: |
-        How to authenticate users of the API. See
-        https://airflow.apache.org/docs/apache-airflow/stable/security.html for possible values.
+        Comma separated list of auth backends to authenticate users of the API. See
+        https://airflow.apache.org/docs/apache-airflow/stable/security/api.html for possible values.
         ("airflow.api.auth.backend.default" allows all requests for historic reasons)
       version_added: ~
       type: string
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 68318d4c6e..a6583d8f47 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -446,8 +446,8 @@ fail_fast = False
 #   `RELEASE_NOTES.rst <https://github.com/apache/airflow/blob/main/RELEASE_NOTES.rst>`_
 enable_experimental_api = False
 
-# How to authenticate users of the API. See
-# https://airflow.apache.org/docs/apache-airflow/stable/security.html for possible values.
+# Comma separated list of auth backends to authenticate users of the API. See
+# https://airflow.apache.org/docs/apache-airflow/stable/security/api.html for possible values.
 # ("airflow.api.auth.backend.default" allows all requests for historic reasons)
 auth_backends = airflow.api.auth.backend.session
 
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 5a5c346aa8..d31933779d 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -325,7 +325,7 @@ class AirflowConfigParser(ConfigParser):
             # handled by deprecated_values
             pass
         elif old_value.find('airflow.api.auth.backend.session') == -1:
-            new_value = old_value + "\nairflow.api.auth.backend.session"
+            new_value = old_value + ",airflow.api.auth.backend.session"
             self._update_env_var(section="api", name="auth_backends", new_value=new_value)
             warnings.warn(
                 'The auth_backends setting in [api] has had airflow.api.auth.backend.session added '
diff --git a/airflow/www/extensions/init_security.py b/airflow/www/extensions/init_security.py
index 61b1bf36e5..aece5e9fe3 100644
--- a/airflow/www/extensions/init_security.py
+++ b/airflow/www/extensions/init_security.py
@@ -51,7 +51,7 @@ def init_api_experimental_auth(app):
         pass
 
     app.api_auth = []
-    for backend in auth_backends.split():
+    for backend in auth_backends.split(','):
         try:
             auth = import_module(backend.strip())
             auth.init_app(app)
diff --git a/docs/apache-airflow/security/api.rst b/docs/apache-airflow/security/api.rst
index 02c9bd0a30..f2ee8487f2 100644
--- a/docs/apache-airflow/security/api.rst
+++ b/docs/apache-airflow/security/api.rst
@@ -34,10 +34,10 @@ check the user session:
     In Airflow <1.10.11, the default setting was to allow all API requests without authentication, but this
     posed security risks for if the Webserver is publicly accessible.
 
-.. versionchanged:: 2.3
+.. versionchanged:: 2.3.0
 
-    In Airflow <2.3 this setting was ``auth_backend`` and allowed only one
-    value. In 2.3 it was changed to support multiple backends that are tried
+    In Airflow <2.3.0 this setting was ``auth_backend`` and allowed only one
+    value. In 2.3.0 it was changed to support multiple backends that are tried
     in turn.
 
 If you want to check which authentication backends are currently set, you can use ``airflow config get-value api auth_backends``
diff --git a/tests/api_connexion/test_auth.py b/tests/api_connexion/test_auth.py
index 60f2a5d0b8..4049e35007 100644
--- a/tests/api_connexion/test_auth.py
+++ b/tests/api_connexion/test_auth.py
@@ -177,7 +177,7 @@ class TestSessionWithBasicAuthFallback(BaseTestAuth):
                     (
                         "api",
                         "auth_backends",
-                    ): "airflow.api.auth.backend.session\nairflow.api.auth.backend.basic_auth"
+                    ): "airflow.api.auth.backend.session,airflow.api.auth.backend.basic_auth"
                 }
             ):
                 init_api_experimental_auth(minimal_app_for_api)
diff --git a/tests/core/test_configuration.py b/tests/core/test_configuration.py
index 839877b8fb..e6c0a1546e 100644
--- a/tests/core/test_configuration.py
+++ b/tests/core/test_configuration.py
@@ -613,7 +613,7 @@ AIRFLOW_HOME = /root/airflow
             test_conf.validate()
             assert (
                 test_conf.get('api', 'auth_backends')
-                == 'airflow.api.auth.backend.basic_auth\nairflow.api.auth.backend.session'
+                == 'airflow.api.auth.backend.basic_auth,airflow.api.auth.backend.session'
             )
 
     @pytest.mark.parametrize(