Feature/add token authentication to internal api #40899
Conversation
|
I looked in detail, and (sorry for that I was just quickly looking it up - but the concept is similar). The actual code I think we should model it from is similar but adds a bit more protection is the one we use to retrieve logs (because It also adds expiry-date for the request) - and it uses JWTSigner Instead of itsdangerous. Here is the server side: airflow/airflow/utils/serve_logs.py Line 80 in c2a54ef And here is the client side: https://github.com/apache/airflow/blob/main/airflow/utils/log/file_task_handler.py#L94 Conceptually it's very similar to signer - you can sign the whole payload of the request - and pass it as "Authorization:" header. This way:
|
|
(and I am quickly fixing the selective check error) |
|
Fix to selective checks failing here: #40904 |
jscheffl
force-pushed
the
feature/add-token-authentication-to-internal-api
branch
from
70a98a0
to
132e8df
Compare
|
@potiuk Thanks for the fix in selective checks. Have re-worked now with JWT approach - this is how you wanted to have it? Note I am off on a cycling tour through switzerland tomorrow, will check probably in the evening, will not be online frequently. |
|
I hope you have a good tour! Yes that's what I thought about. |
jscheffl
force-pushed
the
feature/add-token-authentication-to-internal-api
branch
from
132e8df
to
44c1a0e
Compare
|
One small comment on that. I think the mechanism is cool. But we should use different secret key - not the webserver one. Otherwise DAG authors will have access to webserver key which is somewhat sensitive. the Internal API key should be different. |
Yes, DAG authors could have access to the secret key. But all is internal API components need to have a shared secret. Even if we use any other means (adding another different key, using a specific keyfile, even if public/private keypair is used) the DAG code has access to these details and could grab the key. This might be a very more complex mechanism needed if the key should be secured and this might impose a more complex implementation. I'd propose to take this into consideration when we go to Airflow 3, as ash also described a few mechanisms in his AIP-72 that might be used. So, WDYT: |
|
b) |
jscheffl
force-pushed
the
feature/add-token-authentication-to-internal-api
branch
from
44c1a0e
to
a614996
Compare
Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com>
During the implementation of authentication protection for AIP-69 I realized that Internal API does not carry support for authentication access.
Due to review of #40897 - alternative PR using token authentication on internal API
Noteworthy: Compared to other use I just added the token to the JSON request body dict, thought this is "simpler" than adding a POST/request parameter to the call, API is internal anyway.