You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Victor (JIRA)" <ji...@apache.org> on 2018/09/20 15:25:00 UTC
[jira] [Created] (AIRFLOW-3095) Password Auth fails to forbid
access when it should
Victor created AIRFLOW-3095:
-------------------------------
Summary: Password Auth fails to forbid access when it should
Key: AIRFLOW-3095
URL: https://issues.apache.org/jira/browse/AIRFLOW-3095
Project: Apache Airflow
Issue Type: Bug
Components: authentication
Affects Versions: 1.10.0
Reporter: Victor
Hi,
I encountered the following very strange situation that looks like a big security bug:
* I started a new instance of airflow with a database (using the puckel docker image for the record) and with the airflow.contrib.auth.backends.password_auth backend.
* I created a user on it by following [https://airflow.apache.org/security.html#password]
* I connected to the instance with my browser and I was asked to login
* I logged on the airflow instance, played with it a bit,
* I destroyed the instance as well as its database
* I created a new instance, still with the airflow.contrib.auth.backends.password_auth backend.
* I connected to the instance with my browser and I was NOT asked to login even though there was no user created on it!
I think something is missing and the cookie of the browser (or whatever) is reused and trusted as if it was enough to authenticate the user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)