We could simply stop printing out these passwords. Passwords are auto generated
if not already defined in a file configured in `[core]
simple_auth_manager_passwords_file`. So the user can see these passwords by
opening this file. We could (if it is not considered as unsecured?) print out
the fi
I should add, the import here is, many users who never customized auth
before will now see this message and not really have a clue what they are
supposed to do, and I think it will probably create a good amount of
confusion.
On Thu, Mar 20, 2025 at 10:27 AM Daniel Standish <
daniel.stand...@astron
Hmmm, I wonder if it can instead be made clearer. Something like this?
*Simple Auth Manager Enabled.*
*The Simple Auth Manager is intended for development and testing. If you're
using it in production, ensure that access is controlled through other
means. *
**
Thanks & Regards,
Amogh Desai
On T
> > > > >> >> during the Airflow 3 dev call). We have two options:
> > > > > >> >> - Option 1: update the banner with a friendlier message
> > > > > >> >> - Option 2: resolve the security issue to make SAM
> production
>
ng the Airflow 3 dev call). We have two options:
> > > > >> >> - Option 1: update the banner with a friendlier message
> > > > >> >> - Option 2: resolve the security issue to make SAM production
> > > > >> compatible
> > > > >> >> and remove the b
>> during the Airflow 3 dev call). We have two options:
> > > > >> >> - Option 1: update the banner with a friendlier message
> > > > >> >> - Option 2: resolve the security issue to make SAM production
> > > > >> compat
curity issue to make SAM production
> > > >> compatible
> > > >> >> and remove the banner
> > > >> >>
> > > >> >> Any preference on which option we should go with?
> > > >> >>
> > > >> >> On 2025/03/24 16:52:11 "Oliveira, Niko&
e security issue to make SAM production
> >>>>> compatible
> >>>>>>> and remove the banner
> >>>>>>>
> >>>>>>> Any preference on which option we should go with?
> >>>>>>>
> >>>
t;>>> - Option 2: resolve the security issue to make SAM production
>>>>> compatible
>>>>>>> and remove the banner
>>>>>>>
>>>>>>> Any preference on which option we should go with?
>>>>>>>
ira, Niko" wrote:
> > >> >> > Agreed, I think combining the two will make SAM not so simple. But
> > we
> > >> >> should definitely have an open source, easy to acquire option for
> > >> people to
> > >> >> use that has all th
le. But
> we
> >> >> should definitely have an open source, easy to acquire option for
> >> people to
> >> >> use that has all the bells and whistles that SAM does not have. And
> >> >> KeyCloack is a decent option for this!
> >>
ells and whistles that SAM does not have. And
> >> KeyCloack is a decent option for this!
> >> >
> >> > ____
> >> > From: Vincent Beck
> >> > Sent: Monday, March 24, 2025 6:04:42 AM
> >> > To: dev@airflow.ap
bells and whistles that SAM does not have. And
>> >> KeyCloack is a decent option for this!
>> >> >
>> >> >
>> >> > From: Vincent Beck
>> >> > Sent: Monday, March 24, 2025 6:04:42 AM
>> >
rch 24, 2025 6:04:42 AM
> > To: dev@airflow.apache.org
> > Subject: RE: [EXT] [DISCUSS] confusing alert re SimpleAuthManager
> >
> > CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sende
sy to acquire option for people to
>> use that has all the bells and whistles that SAM does not have. And
>> KeyCloack is a decent option for this!
>> >
>> >
>> > From: Vincent Beck
>> > Sent: Monday, March 24, 2025 6:04
does not have. And KeyCloack is a
> decent option for this!
>
>
> From: Vincent Beck
> Sent: Monday, March 24, 2025 6:04:42 AM
> To: dev@airflow.apache.org
> Subject: RE: [EXT] [DISCUSS] confusing alert re SimpleAuthManager
>
> CAUT
: Vincent Beck
Sent: Monday, March 24, 2025 6:04:42 AM
To: dev@airflow.apache.org
Subject: RE: [EXT] [DISCUSS] confusing alert re SimpleAuthManager
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you can confirm the sender and know the
I do not think integrating KeyCloak with SAM is a great idea. Having a separate
auth manager specific to KeyCloak is, on the other side, a good idea. We should
keep SAM simple as it is. I also do not think making it secure require a lot of
work so I do not think it is worth having a development
Well.. Actually Pierre is quite right. While we have not intended Simple
Auth Manager for production it **could** be used.
However we would have to carefully think what to do with default passwords
etc. Currently a lot of warnings in CodeQL were about "writing sensitive
information to logs" - and
Giving users a warning sounds good.
I agree with Pierre, too. How about defining the rules set to be secure by
design? Or just following up on a pattern without discovering something
new? Could you please elaborate on Jarek?
*TLDR*
It may be a slight implementation detail and just a thought, but w
Is it really wrong to use the SimpleAuthManager in production ? To my
knowledge it lacks a lot of features such as user management and the
permission model is really simplistic, but maybe some installations don’t
need the fancy Auth stuff ?
Instead of being a scary warning that could be just an in
This alert can be definitely improved. I do think we should have it and we
should not remove it. If you have some proposals, please feel free to create a
PR, I'll be happy to review. Mentioning the other auth managers as alternatives
is, I think, a great idea.
On 2025/03/21 07:20:26 Amogh Desai
I'm saying, sounds confusing!
On Thu, Mar 20, 2025 at 11:27 AM wrote:
> Sounds great! Do we have something in the config linter to highlight this
> change?
>
> > On Mar 20, 2025, at 11:19 PM, Daniel Standish
> wrote:
> >
> > It says this:
> >
> > Development-only auth manager configured
> > Th
Sounds great! Do we have something in the config linter to highlight this
change?
> On Mar 20, 2025, at 11:19 PM, Daniel Standish
> wrote:
>
> It says this:
>
> Development-only auth manager configured
> The auth manager configured in your environment is the Simple Auth Manager,
> which is i
It says this:
Development-only auth manager configured
The auth manager configured in your environment is the Simple Auth Manager,
which is intended for development use only. It is not suitable for
production and should not be used in a production environment.
On Thu, Mar 20, 2025 at 10:48 AM Jar
What's the alert - at least for me it did not get through
On Thu, Mar 20, 2025 at 6:33 PM Daniel Standish
wrote:
> I should add, the import here is, many users who never customized auth
> before will now see this message and not really have a clue what they are
> supposed to do, and I think it w
I just saw this when spinning up airflow
[image: image.png]
I think the message is confusing / misleading / not very helpful.
There's nothing necessarily wrong with having simple auth or no auth if you
control access some other way. Moreover we don't tell users what they
should do instead!
So
27 matches
Mail list logo
