This commit adds a .github/SECURITY.md file that defines the
contents of the "Policy" tab in the new "Security" section of
the GitHub interface.
Currently the Policy tab obtains its content from the
docs/security.rst file, which contains technical, non-policy
related information. This commit retains the
"Reporting Vulnerabilities" section of docs/security.rst, which
is relevant, and strips the extraneous content.
Some command for installing extra packages like
`pip install apache-airflow[devel]` cause error
in special situation/shell, We should clear them
by add quotation like
`pip install 'apache-airflow[devel]'`
Some command for installing extra packages are
`pip install apache-airflow[devel]` we should
clear install extra package command to
`pip install 'apache-airflow[devel]'`
[ci skip]
In master branch, we have already decommissioned the Flask-Admin UI.
In model definitions, User and Chart are only applicable for the
"old" UI based on Flask-Admin.
Hence we should decommission these two models as well.
Related doc are updated in this commit as well.
The current `airflow flower` doesn't come with any authentication.
This may make essential information exposed in an untrusted environment.
This commit add support to HTTP basic authentication for Airflow Flower
Ref:
https://flower.readthedocs.io/en/latest/auth.html
This adds ASF license headers to all the .rst and .md files with the
exception of the Pull Request template (as that is included verbatim
when opening a Pull Request on Github which would be messy)
* [AIRFLOW-3178] Don't mask defaults() function from ConfigParser
ConfigParser (the base class for AirflowConfigParser) expects defaults()
to be a function - so when we re-assign it to be a property some of the
methods from ConfigParser no longer work.
* [AIRFLOW-3178] Correctly escape percent signs when creating temp config
Otherwise we have a problem when we come to use those values.
* [AIRFLOW-3178] Use os.chmod instead of shelling out
There's no need to run another process for a built in Python function.
This also removes a possible race condition that would make temporary
config file be readable by more than the airflow or run-as user
The exact behaviour would depend on the umask we run under, and the
primary group of our user, likely this would mean the file was readably
by members of the airflow group (which in most cases would be just the
airflow user). To remove any such possibility we chmod the file
before we write to it
To clarify installation instructions for the google auth backend, add an
install group to `setup.py` that installs dependencies google auth via
`pip install apache-airflow[google_auth]`.
Previously the experimental API was either wide-
open only (allow any
request) or secured behind Kerberos. This adds a
third option of
deny-all.
Closes#2737 from ashb/exp-api-securable
- Add BROKER_USE_SSL config to give option to send AMQP messages over SSL
- Can be set using usual airflow options (e.g. airflow.cfg, env vars, etc.)
Closes#2333 from forsberg/ssl_amqp
If the key ldap/group_member_attr is set in the
airflow.cfg, this value is used to lookup groups
for the user.
Closes#2232 from vfoucault/fixbug/ldap_auth
Please accept this PR that addresses the following
issues:
-
https://issues.apache.org/jira/browse/AIRFLOW-963
Testing Done:
- ran sphinx-build locally and confirmed correctly
rendered
Closes#2139 from sekikn/AIRFLOW-963
Submitting on behalf of plypaul
Please accept this PR that addresses the following
issues:
-
https://issues.apache.org/jira/browse/AIRFLOW-219
-
https://issues.apache.org/jira/browse/AIRFLOW-398
Testing Done:
- Running on Airbnb prod (though on a different
mergebase) for many months
Credits:
Impersonation Work: georgeke did most of the work
but plypaul did quite a bit of work too.
Cgroups: plypaul did most of the work, I just did
some touch up/bug fixes (see commit history,
cgroups + impersonation commit is actually plypaul
's not mine)
Closes#1934 from aoen/ddavydov/cgroups_and_impers
onation_after_rebase
SSL can now be enabled by providing certificate
and key in the usual
ways (config file or CLI options). Providing the
cert and key will
automatically enable SSL. The web server port will
not automatically
change.
The Security page in the docs now includes an SSL
section with basic
setup information.
Closes#1760 from caseyching/master
Add Google authentication backend.
Add Google authentication information to security
docs.
Dear Airflow Maintainers,
Please accept this PR that addresses the following
issues:
-
https://issues.apache.org/jira/browse/AIRFLOW-444
Testing Done:
- Tested Google authentication backend locally
with no issues
This is mostly an adaptation of the GHE
authentication backend.
Closes#1747 from ananya77041/google_auth_backend
This is the correct solution to #796 -- instead of completely dropping
the variable all together.
Added a bit of "pretty" failure for this error as well--including
specifying what is happening in the webserver log, and how it can be
fixed.
Kamil Breguła
Jarek Potiuk
Jarek Potiuk
Philippe Gagnon
Jiajie Zhong
Ash Berlin-Taylor
Chao-Han Tsai
Colin
Xiaodong
Ryan Yuan
Tao Feng
Fokko Driesprong
Benji Visser
bolkedebruin
Joshua Carp
Kaxil Naik
Robin Edwards
renzofrigato
Charles Caygill
dan-sf
Guillermo Rodríguez Cano
Michael Otte
Vianney Foucault
Daniel Huang
Kengo Seki
Dan Davydov
Mike Lyons
Casey Ching
Alex Van Boxel
Ananya Mishra
Peter Pang
Maxime Beauchemin
Neil Hanlon
Matt Pelland
Chris Riccomini
Rimas Silkaitis