[ 
https://issues.apache.org/jira/browse/AIRFLOW-3095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16622261#comment-16622261
 ] 

Ash Berlin-Taylor commented on AIRFLOW-3095:
--------------------------------------------

Your suspicion sounds correct - your new instance probably had the same Flask 
signing key and the old UI only checks the database rows exist on login, not on 
every access.

This could possibly be fixed (there might have already been a change that has 
landed that will by default generate a new signing key on each start unless one 
is *explicitly* provided.

I think the real-world impact/risk of this is fairly minimal. And we will be 
migrating to the new UI (the "RBAC" one) so we should check how that behaves in 
this case.

> Password Auth fails to forbid access when it should
> ---------------------------------------------------
>
>                 Key: AIRFLOW-3095
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3095
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.10.0
>            Reporter: Victor
>            Priority: Major
>              Labels: security
>
> Hi,
>  
> I encountered the following very strange situation that looks like a big 
> security bug:
>  * I started a new instance of airflow with a database (using the puckel 
> docker image for the record) and with the 
> airflow.contrib.auth.backends.password_auth backend.
>  * I created a user on it by following 
> [https://airflow.apache.org/security.html#password]
>  * I connected to the instance with my browser and I was asked to login
>  * I logged on the airflow instance, played with it a bit,
>  * I destroyed the instance as well as its database
>  * I created a new instance, still with the 
> airflow.contrib.auth.backends.password_auth backend.
>  * I connected to the instance with my browser and I was NOT asked to login 
> even though there was no user created on it!
> I think something is missing and the cookie of the browser (or whatever) is 
> reused and trusted as if it was enough to authenticate the user.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to