bugraoz93 commented on PR #68444: URL: https://github.com/apache/airflow/pull/68444#issuecomment-4699515180
@henry3260 could you please update PR and it's decriptions :) > 1. If `airflowctl` exists, why change this CLI at all. Deprecate it sure, but why change it to use the API endpoint which may or may not be running when? > 2. Please improve the commit message as per our contributing guidlines > 3. Where does it get auth from? Hey Ash, thanks for raising this! There will be some PRs like this using airflowctl client. I added the auth and how the client should be created here #68175. It should use that. This work should use airflowctl behind the scenes as we agreed under [AIP-94](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=382175838). We agreed on using the airflowctl client, so behind the scenes the CLI will work by generating the API token if it is running on the server as an admin for those commands, or by using the proper config embedded locally. Otherwise, we should direct people to use airflowctl directly, as they can achieve the same results with it safely with RBAC. TLDR Normally, the CLI requires direct DB credentials to run, so if the auth configuration is present, it should work as expected since it should already exist on the server. Given that we already expose DB credentials, and with FAB even user credentials using DB ones, this should not introduce any additional exposure. We expect the auth-related configuration to be available in `airflow.cfg` when invoking the CLI, as it is already required for Airflow to run (on an instance from admin to execute). https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/cli/api_client.py -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
