jscheffl commented on code in PR #40897: URL: https://github.com/apache/airflow/pull/40897#discussion_r1685320255
########## airflow/api_internal/internal_api_call.py: ########## @@ -68,21 +73,31 @@ def get_internal_api_endpoint(): InternalApiConfig._init_values() return InternalApiConfig._internal_api_endpoint + @staticmethod + def get_auth() -> AuthBase | None: + return InternalApiConfig._internal_api_auth + @staticmethod def _init_values(): use_internal_api = conf.getboolean("core", "database_access_isolation", fallback=False) if use_internal_api and not _ENABLE_AIP_44: raise RuntimeError("The AIP_44 is not enabled so you cannot use it.") - internal_api_endpoint = "" if use_internal_api: - internal_api_url = conf.get("core", "internal_api_url") - internal_api_endpoint = internal_api_url + "/internal_api/v1/rpcapi" - if not internal_api_endpoint.startswith("http://"): - raise AirflowConfigException("[core]internal_api_url must start with http://") + internal_api_endpoint = conf.get("core", "internal_api_url") + if internal_api_endpoint.find("/", 8) == -1: + internal_api_endpoint = internal_api_endpoint + "/internal_api/v1/rpcapi" + if not internal_api_endpoint.startswith("http://") and not internal_api_endpoint.startswith( + "https://" + ): + raise AirflowConfigException("[core]internal_api_url must start with http:// or https://") + InternalApiConfig._internal_api_endpoint = internal_api_endpoint + internal_api_user = conf.get("core", "internal_api_user") + internal_api_password = conf.get("core", "internal_api_password") Review Comment: Looking though the code I am wondering a bit regarding the log endpoint where the code snipped is coming from. Log endpoint also uses the decorator `@security.requires_access_dag("GET", DagAccessEntity.TASK_LOGS)` on top, means the token is a kind of second factor but not the only means of authentication. You need to authenticate to get logs. I don't see any handling with the decorator ignoring an HTTP-based auth if a token is provided. Do you mean with your feedback that if we implement auth in internal API that we need to put the token "on top" to have a second factor? Or should a generated token based on the secret key replace/substiture any decorator e.g. which I just added in AIP-69 in https://github.com/apache/airflow/pull/40224/files#diff-5fb7e8d1b04e10947ebd11fdba06820f44cac02f2f36ad97b5964cf0273b05cfR69 (`@requires_access_custom_view("POST", REMOTE_WORKER_API_ROLE)`) - would a pure token authentication be sufficient? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org