New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth for worker log serve app #16485
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
How do you propose to secure this server? We previously did not have any additional protection for communication between components, so it is worth considering the best way to do this. |
Hi. ex: I've thought of 2 ways for this. please suggest
I've noticed systems use method 1 for connecting services, but also have their own individual auth backend builtin each component service by decoupling with the rest. But this is if each is a component service that can be used without the other. If Airflow Webserver UI is tied with scheduler,worker and we can go with 1 by making the log api use a global key. |
Sessions may be suboptimal since it means restarting a service requires re-establishing authentication. Having a fernet key is a more popular solution for microservices, from what I know. |
or maybe send an encrypted response on a request without any headers but can only be decrypted via fernet key on the client side ? |
The client still needs to somehow send a key for the server to encode things, so that’s basically the same idea implemented a bit differently. |
We can also use the airflow/airflow/api_connexion/endpoints/dag_source_endpoint.py Lines 32 to 34 in db10c68
In our case, we can use TimedSigner /TimedJSONWebSignatureSerializer so that even a key leak does not pose a security risk https://github.com/pallets/itsdangerous/blob/b1e32ca0a77a819dc992e0b9ab9e70929b9224aa/src/itsdangerous/timed.py#L169.https://github.com/pallets/itsdangerous/blob/b1e32ca0a77a819dc992e0b9ab9e70929b9224aa/src/itsdangerous/jws.py#L186-L196 |
Done: #16754 |
Description
To use Authentication for Flask app: airflow.utils.serve_logs while serving logs for Celery Workers
Airflow UI does not allow users to view task logs if they don't have access to the dag.
But the Flask server is still open and user can send simple request without any authentication method to fetch the log file with the path.
Use case / motivation
To fix this vulnerability via a suitable methodology as log files shouldn't be open to access freely.
Are you willing to submit a PR?
Yes
@mik-laj
The text was updated successfully, but these errors were encountered: