Re: [PR] Add support for basic authentication on internal API client [airflow]

Sat, 20 Jul 2024 01:25:18 -0700 


jscheffl commented on code in PR #40897:
URL: https://github.com/apache/airflow/pull/40897#discussion_r1685320255


##########
airflow/api_internal/internal_api_call.py:
##########
@@ -68,21 +73,31 @@ def get_internal_api_endpoint():
             InternalApiConfig._init_values()
         return InternalApiConfig._internal_api_endpoint
 
+    @staticmethod
+    def get_auth() -> AuthBase | None:
+        return InternalApiConfig._internal_api_auth
+
     @staticmethod
     def _init_values():
         use_internal_api = conf.getboolean("core", 
"database_access_isolation", fallback=False)
         if use_internal_api and not _ENABLE_AIP_44:
             raise RuntimeError("The AIP_44 is not enabled so you cannot use 
it.")
-        internal_api_endpoint = ""
         if use_internal_api:
-            internal_api_url = conf.get("core", "internal_api_url")
-            internal_api_endpoint = internal_api_url + 
"/internal_api/v1/rpcapi"
-            if not internal_api_endpoint.startswith("http://";):
-                raise AirflowConfigException("[core]internal_api_url must 
start with http://";)
+            internal_api_endpoint = conf.get("core", "internal_api_url")
+            if internal_api_endpoint.find("/", 8) == -1:
+                internal_api_endpoint = internal_api_endpoint + 
"/internal_api/v1/rpcapi"
+            if not internal_api_endpoint.startswith("http://";) and not 
internal_api_endpoint.startswith(
+                "https://";
+            ):
+                raise AirflowConfigException("[core]internal_api_url must 
start with http:// or https://";)
+            InternalApiConfig._internal_api_endpoint = internal_api_endpoint
+            internal_api_user = conf.get("core", "internal_api_user")
+            internal_api_password = conf.get("core", "internal_api_password")

Review Comment:
   Looking though the code I am wondering a bit regarding the log endpoint 
where the code snipped is coming from. Log endpoint also uses the decorator 
`@security.requires_access_dag("GET", DagAccessEntity.TASK_LOGS)` on top, means 
the token is a kind of second factor but not the only means of authentication. 
You need to authenticate to get logs. I don't see any handling with the 
decorator ignoring an HTTP-based auth if a token is provided.
   
   Do you mean with your feedback that if we implement auth in internal API 
that we need to put the token "on top" to have a second factor? Or should a 
generated token based on the secret key replace/substiture any decorator e.g. 
which I just added in AIP-69 in 
https://github.com/apache/airflow/pull/40224/files#diff-5fb7e8d1b04e10947ebd11fdba06820f44cac02f2f36ad97b5964cf0273b05cfR69
 (`@requires_access_custom_view("POST", REMOTE_WORKER_API_ROLE)`) - would a 
pure token authentication be sufficient?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to