Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Apache Airflow generates a config file in all the airflow machines called airflow.cfg in the home of the airflow user. This config file contains configuration information and might contain interesting and sensitive information.
There are two ways to access this file: By compromising some airflow machine, or accessing the web console.
Note that the values inside the config file might not be the ones used, as you can overwrite them setting env variables such as AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'.
If you have access to the config file in the web server, you can check the real running configuration in the same page the config is displayed. If you have access to some machine inside the airflow env, check the environment.
Some interesting values to check when reading the config file:
access_control_allow_headers: This indicates the allowed headers for CORS
access_control_allow_methods: This indicates the allowed methods for CORS
access_control_allow_origins: This indicates the allowed origins for CORS
auth_backend: According to the docs a few options can be in place to configure who can access to the API:
airflow.api.auth.backend.deny_all: By default nobody can access the API
airflow.api.auth.backend.default: Everyone can access it without authentication
airflow.api.auth.backend.kerberos_auth: To configure kerberos authentication
airflow.api.auth.backend.basic_auth: For basic authentication
airflow.composer.api.backend.composer_auth: Uses composers authentication (GCP) (from here).
composer_auth_user_registration_role: This indicates the role the composer user will get inside airflow (Op by default).
You can also create you own authentication method with python.
google_key_path: Path to the GCP service account key
password: Atlas password
username: Atlas username
flower_basic_auth : Credentials (user1:password1,user2:password2)
result_backend: Postgres url which may contain credentials.
ssl_cacert: Path to the cacert
ssl_cert: Path to the cert
ssl_key: Path to the key
dag_discovery_safe_mode: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings DAG and airflow.
fernet_key: Key to store encrypted variables (symmetric)
hide_sensitive_var_conn_fields: Enabled by default, hide sensitive info of connections.
security: What security module to use (for example kerberos)
tls_ca: Path to ca
tls_cert: Part to the cert
tls_key: Part to the tls key
ccache: Path to ccache file
forwardable: Enabled by default
google_key_path: Path to GCP JSON creds.
backend: Full class name of secrets backend to enable
backend_kwargs: The backend_kwargs param is loaded into a dictionary and passed to init of secrets backend class.
smtp_password: SMTP password
smtp_user: SMTP user
cookie_samesite: By default it's Lax, so it's already the weakest possible value
cookie_secure: Set secure flag on the the session cookie
expose_config: By default is False, if true, the config can be read from the web console
expose_stacktrace: By default it's True, it will show python tracebacks (potentially useful for an attacker)
secret_key: This is the key used by flask to sign the cookies (if you have this you can impersonate any user in Airflow)
web_server_ssl_cert: Path to the SSL cert
web_server_ssl_key: Path to the SSL Key
x_frame_enabled: Default is True, so by default clickjacking isn't possible
By default web authentication is specified in the file webserver_config.py and is configured as
Which means that the authentication is checked against the database. However, other configurations are possible like
To leave the authentication to third party services.
However, there is also an option to allow anonymous users access, setting the following parameter to the desired role:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
