[ https://issues.apache.org/jira/browse/AIRFLOW-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225454#comment-16225454 ]
Ash Berlin-Taylor commented on AIRFLOW-1765: -------------------------------------------- The /dags page needs to not use the experimental API before we can deny by default. > Default API auth backed should deny all. > ---------------------------------------- > > Key: AIRFLOW-1765 > URL: https://issues.apache.org/jira/browse/AIRFLOW-1765 > Project: Apache Airflow > Issue Type: Bug > Components: api, authentication > Affects Versions: 1.8.2 > Reporter: Ash Berlin-Taylor > Priority: Critical > Labels: security > Fix For: 1.9.0 > > > It has been discovered that the experimental API in the default configuration > is not protected behind any authentication. > This means that out of the box the Airflow webserver's /api/experimental/ can > be requested by anyone, meaning pools can be updated/deleted and task > instance variables can be read. -- This message was sent by Atlassian JIRA (v6.4.14#64029)