Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Vincent Beck
Given the different concerns to consider SAM as secured for production use and time, I decided to go with option 1. We can always iterate on it later and update SAM to make it production ready if we want to. I created a PR to update the banner, I used the text proposed by Amogh and I converted

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Daniel Standish
But like, recall in airflow 2 there was some capability to do auth role public. I.e. no security. And we did not show a bubble for that, I don't think. And many users would implement security not within airflow itself but in controlling access to airflow. So, as long as there's some mechanism t

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Jarek Potiuk
Just a comment. Explaining how to disable it is almost the same as officially making it production-ready but without guarantees. Look how many people are using sequential executor despite having the warning. If we tell people how to disable it easily, they will just use it. Plenty of themm. And I

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Daniel Standish
There needs to be a way to disable the banner IMO On Thu, Mar 27, 2025 at 10:20 AM Kaxil Naik wrote: > message cut: > > I am fine with Option (1) given the current time constraints and since it > is for dev only and can be iterated in follow-up releases > > > On Thu, 27 Mar 2025 at 22:47, Kaxil

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Kaxil Naik
message cut: I am fine with Option (1) given the current time constraints and since it is for dev only and can be iterated in follow-up releases On Thu, 27 Mar 2025 at 22:47, Kaxil Naik wrote: > I am fine with Option (1) imo > > On Thu, 27 Mar 2025 at 22:05, Vincent Beck wrote: > >> Following

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Kaxil Naik
I am fine with Option (1) imo On Thu, 27 Mar 2025 at 22:05, Vincent Beck wrote: > Following back on that thread (I should probably have called it out during > the Airflow 3 dev call). We have two options: > - Option 1: update the banner with a friendlier message > - Option 2: resolve the secur

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Daniel Standish
So yes we can make it friendlier and then tell users how it can be disabled by config. On Thu, Mar 27, 2025 at 10:28 AM Daniel Standish < daniel.stand...@astronomer.io> wrote: > There needs to be a way to disable the banner IMO > > On Thu, Mar 27, 2025 at 10:20 AM Kaxil Naik wrote: > >> message

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Vincent Beck
Following back on that thread (I should probably have called it out during the Airflow 3 dev call). We have two options: - Option 1: update the banner with a friendlier message - Option 2: resolve the security issue to make SAM production compatible and remove the banner Any preference on whic

[Meeting Notes] Airflow 3.0 dev call - 27 March 2025

2025-03-27 Thread Vikram Koka
Hey everyone, I updated our meeting notes document in the Airflow wiki to capture the notes from our quick dev call earlier today. The link for those notes is here Thank you all fo

Re: [LAZY CONSENSUS] Use `uv` as the only supported tooling for Airflow development

2025-03-27 Thread Jarek Potiuk
Hello, The lazy consensus has been reached. I have a PR [1] that I hope to make green soon - it moves a number of (mostly tests) files around and creates few more internal distributions - all dependencies are move to corresponding pyproject.toml files and a lot of custom code to create environmen

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Vincent Beck
Is the security issue only printing out the passwords in stdout? If yes, I can easily remove that. On 2025/03/27 18:29:27 Jarek Potiuk wrote: > Just a comment. > > Explaining how to disable it is almost the same as officially making it > production-ready but without guarantees. Look how many peo

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Tzu-ping Chung
Username and password being always the same is also a problem; username is viewable as plain text in the UI and things like password managers. > On 28 Mar 2025, at 02:56, Vincent Beck wrote: > > Is the security issue only printing out the passwords in stdout? If yes, I > can easily remove tha

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Vincent Beck
This is only the case in breeze so I do not think this is a concern. Breeze is only for development purposes. When used outside of breeze, simple auth manager generate automatically random passwords On 2025/03/27 19:00:11 Tzu-ping Chung wrote: > Username and password being always the same is als

Re: [DISCUSS] confusing alert re SimpleAuthManager

2025-03-27 Thread Jarek Potiuk
Yeah. Maybe a good solution would be to correlate the random password with removing the banner. I would be pretty happy if in order to disable the banner user(s) would have to be securely configured by the deployment manager - essentially converting the developement friendly (development only) SA

Re: [DISCUSS] Decisions made on devlist

2025-03-27 Thread Jarek Potiuk
To be very concrete: I think my proposal is just to exercise a bit of empathy towards other work and when you are asked "let's discuss it on a devlist" because it's a complex case, with huge impact (and effort needed) and potentially disruptive and where many people will like have opinion, let's ju