Change the default auth backend to session

UPDATING.md

@@ -145,6 +145,10 @@ Previously, only one backend was used to authorize use of the REST API. In 2.3 t
 
 This setting is also used for the deprecated experimental API, which only uses the first option even if multiple are given.
 
+### `auth_backends` includes session
+
+To allow the Airflow UI to use the API, the previous default authorization backend `airflow.api.auth.backend.deny_all` is changed to `airflow.api.auth.backend.session`, and this is automatically added to the list of API authorization backends if a non-default value is set.
+
 ## Airflow 2.2.4
 
 ### Smart sensors deprecated

airflow/config_templates/config.yml

@@ -810,7 +810,7 @@
       version_added: ~
       type: string
       example: ~
-      default: "airflow.api.auth.backend.deny_all"
+      default: "airflow.api.auth.backend.session"
     - name: maximum_page_limit
       description: |
         Used to set the maximum page limit for API requests

airflow/config_templates/default_airflow.cfg

@@ -438,7 +438,7 @@ enable_experimental_api = False
 # How to authenticate users of the API. See
 # https://airflow.apache.org/docs/apache-airflow/stable/security.html for possible values.
 # ("airflow.api.auth.backend.default" allows all requests for historic reasons)
-auth_backends = airflow.api.auth.backend.deny_all
+auth_backends = airflow.api.auth.backend.session
 
 # Used to set the maximum page limit for API requests
 maximum_page_limit = 100

airflow/configuration.py

@@ -211,6 +211,13 @@ class AirflowConfigParser(ConfigParser):
                 3.0,
             ),
         },
+        'api': {
+            'auth_backends': (
+                re.compile(r'^airflow\.api\.auth\.backend\.deny_all$|^$'),
+                'airflow.api.auth.backend.session',
+                '3.0',
+            ),
+        },
     }
 
     _available_logging_levels = ['CRITICAL', 'FATAL', 'ERROR', 'WARN', 'WARNING', 'INFO', 'DEBUG']
@@ -281,8 +288,28 @@ def validate(self):
                         version=version,
                     )
 
+        self._upgrade_auth_backends()
         self.is_validated = True
 
+    def _upgrade_auth_backends(self):
+        """
+        Ensure a custom auth_backends setting contains session,
+        which is needed by the UI for ajax queries.
+        """
+        old_value = self.get("api", "auth_backends", fallback="")
+        if old_value in ('airflow.api.auth.backend.default', ''):
+            # handled by deprecated_values
+            pass
+        elif old_value.find('airflow.api.auth.backend.session') == -1:
+            new_value = old_value + "\nairflow.api.auth.backend.session"
+            self._update_env_var(section="api", name="auth_backends", new_value=new_value)
+            warnings.warn(
+                'The auth_backends setting in [api] has had airflow.api.auth.backend.session added '
+                'in the running config, which is needed by the UI. Please update your config before '
+                'Apache Airflow 3.0.',
+                FutureWarning,
+            )
+
     def _validate_enums(self):
         """Validate that enum type config has an accepted value"""
         for (section_key, option_key), enum_options in self.enums_options.items():
@@ -324,10 +351,11 @@ def _using_old_value(self, old, current_value):
         return old.search(current_value) is not None
 
     def _update_env_var(self, section, name, new_value):
-        # Make sure the env var option is removed, otherwise it
-        # would be read and used instead of the value we set
         env_var = self._env_var_name(section, name)
-        os.environ.pop(env_var, None)
+        # If the config comes from environment, set it there so that any subprocesses keep the same override!
+        if env_var in os.environ:
+            os.environ[env_var] = new_value
+            return
         if not self.has_section(section):
             self.add_section(section)
         self.set(section, name, new_value)

chart/UPDATING.rst

@@ -59,6 +59,12 @@ The default Airflow image that is used with the Chart is now ``2.2.3``, previous
 
 The old parameter names will continue to work, however support for them will be removed in a future release so please update your values file.
 
+Removed ``config.api``
+""""""""""""""""""""""
+
+This section configured the authentication backend for the Airflow API but used the same values as the Airflow default setting, which made it unnecessary to
+declare the same again.
+
 Fixed precedence of ``nodeSelector``, ``affinity`` and ``tolerations`` params
 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 

chart/values.yaml

@@ -1417,9 +1417,6 @@ config:
     # For Airflow 1.10, backward compatibility; moved to [logging] in 2.0
     colored_console_log: 'False'
     remote_logging: '{{- ternary "True" "False" .Values.elasticsearch.enabled }}'
-  # Authentication backend used for the experimental API
-  api:
-    auth_backends: airflow.api.auth.backend.deny_all
   logging:
     remote_logging: '{{- ternary "True" "False" .Values.elasticsearch.enabled }}'
     colored_console_log: 'False'

docs/apache-airflow/security/api.rst

@@ -22,12 +22,12 @@ API Authentication
 ------------------
 
 Authentication for the API is handled separately to the Web Authentication. The default is to
-deny all requests:
+check the user session:
 
 .. code-block:: ini
 
     [api]
-    auth_backends = airflow.api.auth.backend.deny_all
+    auth_backends = airflow.api.auth.backend.session
 
 .. versionchanged:: 1.10.11
 

tests/core/test_configuration.py

@@ -592,6 +592,28 @@ def test_deprecated_values_from_conf(self):
             test_conf.validate()
             assert test_conf.get('core', 'hostname_callable') == 'socket.getfqdn'
 
+    def test_auth_backends_adds_session(self):
+        test_conf = AirflowConfigParser(default_config='')
+        # Guarantee we have deprecated settings, so we test the deprecation
+        # lookup even if we remove this explicit fallback
+        test_conf.deprecated_values = {
+            'api': {
+                'auth_backends': (
+                    re.compile(r'^airflow\.api\.auth\.backend\.deny_all$|^$'),
+                    'airflow.api.auth.backend.session',
+                    '3.0',
+                ),
+            },
+        }
+        test_conf.read_dict({'api': {'auth_backends': 'airflow.api.auth.backend.basic_auth'}})
+
+        with pytest.warns(FutureWarning):
+            test_conf.validate()
+            assert (
+                test_conf.get('api', 'auth_backends')
+                == 'airflow.api.auth.backend.basic_auth\nairflow.api.auth.backend.session'
+            )
+
     @pytest.mark.parametrize(
         "conf_dict",
         [