Victor created AIRFLOW-3095: ------------------------------- Summary: Password Auth fails to forbid access when it should Key: AIRFLOW-3095 URL: https://issues.apache.org/jira/browse/AIRFLOW-3095 Project: Apache Airflow Issue Type: Bug Components: authentication Affects Versions: 1.10.0 Reporter: Victor
Hi, I encountered the following very strange situation that looks like a big security bug: * I started a new instance of airflow with a database (using the puckel docker image for the record) and with the airflow.contrib.auth.backends.password_auth backend. * I created a user on it by following [https://airflow.apache.org/security.html#password] * I connected to the instance with my browser and I was asked to login * I logged on the airflow instance, played with it a bit, * I destroyed the instance as well as its database * I created a new instance, still with the airflow.contrib.auth.backends.password_auth backend. * I connected to the instance with my browser and I was NOT asked to login even though there was no user created on it! I think something is missing and the cookie of the browser (or whatever) is reused and trusted as if it was enough to authenticate the user. -- This message was sent by Atlassian JIRA (v7.6.3#76005)