[AIRFLOW-1765] Make experimental API securable without needing Kerberos.
Previously the experimental API was either wide- open only (allow any request) or secured behind Kerberos. This adds a third option of deny-all. Closes #2737 from ashb/exp-api-securable
This commit is contained in:
Родитель
0bf7adb209
Коммит
0e27e1b209
|
@ -0,0 +1,30 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from functools import wraps
|
||||
from flask import Response
|
||||
|
||||
client_auth = None
|
||||
|
||||
|
||||
def init_app(app):
|
||||
pass
|
||||
|
||||
|
||||
def requires_authentication(function):
|
||||
@wraps(function)
|
||||
def decorated(*args, **kwargs):
|
||||
return Response("Forbidden", 403)
|
||||
|
||||
return decorated
|
20
docs/api.rst
20
docs/api.rst
|
@ -28,16 +28,26 @@ configure as follows:
|
|||
Authentication
|
||||
--------------
|
||||
|
||||
Only Kerberos authentication is currently supported for the API. To enable this set the following
|
||||
in the configuration:
|
||||
Authentication for the API is handled separately to the Web Authentication. The default is to not
|
||||
require any authentication on the API -- i.e. wide open by default. This is not recommended if your
|
||||
Airflow webserver is publicly accessible, and you should probably use the deny all backend:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: ini
|
||||
|
||||
[api]
|
||||
auth_backend = airflow.api.auth.backend.default
|
||||
auth_backend = airflow.api.auth.backend.deny_all
|
||||
|
||||
|
||||
Kerberos is the only "real" authentication mechanism currently supported for the API. To enable
|
||||
this set the following in the configuration:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[api]
|
||||
auth_backend = airflow.api.auth.backend.kerberos_auth
|
||||
|
||||
[kerberos]
|
||||
keytab = <KEYTAB>
|
||||
|
||||
The Kerberos service is configured as `airflow/fully.qualified.domainname@REALM`. Make sure this
|
||||
The Kerberos service is configured as ``airflow/fully.qualified.domainname@REALM``. Make sure this
|
||||
principal exists in the keytab file.
|
||||
|
|
|
@ -8,6 +8,8 @@ SSH tunnels.
|
|||
It is however possible to switch on authentication by either using one of the supplied
|
||||
backends or creating your own.
|
||||
|
||||
Be sure to checkout :doc:`api` for securing the API.
|
||||
|
||||
Web Authentication
|
||||
------------------
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче