[AIRFLOW-1697] Mode to disable charts endpoint

UPDATING.md

@@ -270,6 +270,8 @@ supported and will be removed entirely in Airflow 2.0
   Previously, `Operator.__init__()` accepted any arguments (either positional `*args` or keyword `**kwargs`) without
   complaint. Now, invalid arguments will be rejected. (https://github.com/apache/incubator-airflow/pull/1285)
 
+- The config value secure_mode will default to True which will disable some insecure endpoints/features
+
 ### Known Issues
 There is a report that the default of "-1" for num_runs creates an issue where errors are reported while parsing tasks.
 It was not confirmed, but a workaround was found by changing the default back to `None`.

airflow/config_templates/default_airflow.cfg

@@ -117,6 +117,10 @@ default_impersonation =
 # What security module to use (for example kerberos):
 security =
 
+# If set to False enables some unsecure features like Charts. In 2.0 will
+# default to True.
+secure_mode = False
+
 # Turn unit test mode on (overwrites many configuration options with test
 # values at runtime)
 unit_test_mode = False

airflow/www/app.py

@@ -22,6 +22,7 @@ from flask_wtf.csrf import CSRFProtect
 csrf = CSRFProtect()
 
 import airflow
+from airflow import configuration as conf
 from airflow import models, LoggingMixin
 from airflow.settings import Session
 
@@ -69,8 +70,10 @@ def create_app(config=None, testing=False):
         av(vs.Airflow(name='DAGs', category='DAGs'))
 
         av(vs.QueryView(name='Ad Hoc Query', category="Data Profiling"))
-        av(vs.ChartModelView(
+
-            models.Chart, Session, name="Charts", category="Data Profiling"))
+        if not conf.getboolean('core', 'secure_mode'):
+            av(vs.ChartModelView(
+                models.Chart, Session, name="Charts", category="Data Profiling"))
         av(vs.KnownEventView(
             models.KnownEvent,
             Session, name="Known Events", category="Data Profiling"))

airflow/www/views.py

@@ -37,7 +37,8 @@ import sqlalchemy as sqla
 from sqlalchemy import or_, desc, and_, union_all
 
 from flask import (
-    redirect, url_for, request, Markup, Response, current_app, render_template, make_response)
+    abort, redirect, url_for, request, Markup, Response, current_app, render_template, 
+    make_response)
 from flask_admin import BaseView, expose, AdminIndexView
 from flask_admin.contrib.sqla import ModelView
 from flask_admin.actions import action
@@ -299,6 +300,9 @@ class Airflow(BaseView):
     def chart_data(self):
         from airflow import macros
         import pandas as pd
+        if conf.getboolean('core', 'secure_mode'):
+            abort(404)
+
         session = settings.Session()
         chart_id = request.args.get('chart_id')
         csv = request.args.get('csv') == "true"
@@ -437,6 +441,9 @@ class Airflow(BaseView):
     @expose('/chart')
     @data_profiling_required
     def chart(self):
+        if conf.getboolean('core', 'secure_mode'):
+            abort(404)
+
         session = settings.Session()
         chart_id = request.args.get('chart_id')
         embed = request.args.get('embed')

scripts/ci/airflow_travis.cfg

@@ -23,6 +23,7 @@ donot_pickle = False
 dag_concurrency = 16
 dags_are_paused_at_creation = False
 default_impersonation =
+secure_mode = False
 fernet_key = af7CN0q6ag5U3g08IsPsw3K45U7Xa0axgVFhoh-3zB8=
 
 [webserver]