[ https://issues.apache.org/jira/browse/AIRFLOW-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226700#comment-16226700 ]
Ash Berlin-Taylor commented on AIRFLOW-1765: -------------------------------------------- I have created two PRs that address fix this in different ways. Only one should be used and the other closed unmerged. - https://github.com/apache/incubator-airflow/pull/2736 - default backend denies all, added an allow_all backend - https://github.com/apache/incubator-airflow/pull/2737 - default backend still allows_all, added a deny_all backend. In cases both there remains a airflow.api.auth.backend.default so that existing config's won't suddenly break. > Default API auth backed should deny all. > ---------------------------------------- > > Key: AIRFLOW-1765 > URL: https://issues.apache.org/jira/browse/AIRFLOW-1765 > Project: Apache Airflow > Issue Type: Improvement > Components: api, authentication > Affects Versions: 1.8.2 > Reporter: Ash Berlin-Taylor > Labels: security > Fix For: 1.9.0 > > > It has been discovered that the experimental API in the default configuration > is not protected behind any authentication. > This means that out of the box the Airflow webserver's /api/experimental/ can > be requested by anyone, meaning pools can be updated/deleted and task > instance variables can be read. -- This message was sent by Atlassian JIRA (v6.4.14#64029)