Airflow Configuration
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Configuration File
Apache Airflow generates a config file in all the airflow machines called airflow.cfg
in the home of the airflow user. This config file contains configuration information and might contain interesting and sensitive information.
There are two ways to access this file: By compromising some airflow machine, or accessing the web console.
Note that the values inside the config file might not be the ones used, as you can overwrite them setting env variables such as AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'
.
If you have access to the config file in the web server, you can check the real running configuration in the same page the config is displayed.
If you have access to some machine inside the airflow env, check the environment.
Some interesting values to check when reading the config file:
[api]
access_control_allow_headers
: This indicates the allowed headers for CORSaccess_control_allow_methods
: This indicates the allowed methods for CORSaccess_control_allow_origins
: This indicates the allowed origins for CORSauth_backend
: According to the docs a few options can be in place to configure who can access to the API:airflow.api.auth.backend.deny_all
: By default nobody can access the APIairflow.api.auth.backend.default
: Everyone can access it without authenticationairflow.api.auth.backend.kerberos_auth
: To configure kerberos authenticationairflow.api.auth.backend.basic_auth
: For basic authenticationairflow.composer.api.backend.composer_auth
: Uses composers authentication (GCP) (from here).composer_auth_user_registration_role
: This indicates the role the composer user will get inside airflow (Op by default).
- You can also create you own authentication method with python.
google_key_path
: Path to the GCP service account key
[atlas]
password
: Atlas passwordusername
: Atlas username
[celery]
flower_basic_auth
: Credentials (user1:password1,user2:password2)result_backend
: Postgres url which may contain credentials.ssl_cacert
: Path to the cacertssl_cert
: Path to the certssl_key
: Path to the key
[core]
dag_discovery_safe_mode
: Enabled by default. When discovering DAGs, ignore any files that donβt contain the stringsDAG
andairflow
.fernet_key
: Key to store encrypted variables (symmetric)hide_sensitive_var_conn_fields
: Enabled by default, hide sensitive info of connections.security
: What security module to use (for example kerberos)
[dask]
tls_ca
: Path to catls_cert
: Part to the certtls_key
: Part to the tls key
[kerberos]
ccache
: Path to ccache fileforwardable
: Enabled by default
[logging]
google_key_path
: Path to GCP JSON creds.
[secrets]
backend
: Full class name of secrets backend to enablebackend_kwargs
: The backend_kwargs param is loaded into a dictionary and passed to init of secrets backend class.
[smtp]
smtp_password
: SMTP passwordsmtp_user
: SMTP user
[webserver]
cookie_samesite
: By default it's Lax, so it's already the weakest possible valuecookie_secure
: Set secure flag on the the session cookieexpose_config
: By default is False, if true, the config can be read from the web consoleexpose_stacktrace
: By default it's True, it will show python tracebacks (potentially useful for an attacker)secret_key
: This is the key used by flask to sign the cookies (if you have this you can impersonate any user in Airflow)web_server_ssl_cert
: Path to the SSL certweb_server_ssl_key
: Path to the SSL Keyx_frame_enabled
: Default is True, so by default clickjacking isn't possible
Web Authentication
By default web authentication is specified in the file webserver_config.py
and is configured as
AUTH_TYPE = AUTH_DB
Which means that the authentication is checked against the database. However, other configurations are possible like
AUTH_TYPE = AUTH_OAUTH
To leave the authentication to third party services.
However, there is also an option to allow anonymous users access, setting the following parameter to the desired role:
AUTH_ROLE_PUBLIC = 'Admin'
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.