[AIRFLOW-1765] Make experimental API securable without needing Kerberos.

Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of
deny-all.

Closes #2737 from ashb/exp-api-securable
This commit is contained in:
Ash Berlin-Taylor 2017-11-01 15:38:36 +01:00 коммит произвёл Bolke de Bruin
Родитель 0bf7adb209
Коммит 0e27e1b209
3 изменённых файлов: 47 добавлений и 5 удалений

Просмотреть файл

@ -0,0 +1,30 @@
# -*- coding: utf-8 -*-
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from functools import wraps
from flask import Response
client_auth = None
def init_app(app):
pass
def requires_authentication(function):
@wraps(function)
def decorated(*args, **kwargs):
return Response("Forbidden", 403)
return decorated

Просмотреть файл

@ -28,16 +28,26 @@ configure as follows:
Authentication
--------------
Only Kerberos authentication is currently supported for the API. To enable this set the following
in the configuration:
Authentication for the API is handled separately to the Web Authentication. The default is to not
require any authentication on the API -- i.e. wide open by default. This is not recommended if your
Airflow webserver is publicly accessible, and you should probably use the deny all backend:
.. code-block:: bash
.. code-block:: ini
[api]
auth_backend = airflow.api.auth.backend.default
auth_backend = airflow.api.auth.backend.deny_all
Kerberos is the only "real" authentication mechanism currently supported for the API. To enable
this set the following in the configuration:
.. code-block:: ini
[api]
auth_backend = airflow.api.auth.backend.kerberos_auth
[kerberos]
keytab = <KEYTAB>
The Kerberos service is configured as `airflow/fully.qualified.domainname@REALM`. Make sure this
The Kerberos service is configured as ``airflow/fully.qualified.domainname@REALM``. Make sure this
principal exists in the keytab file.

Просмотреть файл

@ -8,6 +8,8 @@ SSH tunnels.
It is however possible to switch on authentication by either using one of the supplied
backends or creating your own.
Be sure to checkout :doc:`api` for securing the API.
Web Authentication
------------------