Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Apache Airflow generates a config file in all the airflow machines called airflow.cfg
in the home of the airflow user. This config file contains configuration information and might contain interesting and sensitive information.
There are two ways to access this file: By compromising some airflow machine, or accessing the web console.
Note that the values inside the config file might not be the ones used, as you can overwrite them setting env variables such as AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'
.
If you have access to the config file in the web server, you can check the real running configuration in the same page the config is displayed.
If you have access to some machine inside the airflow env, check the environment.
Some interesting values to check when reading the config file:
access_control_allow_headers
: This indicates the allowed headers for CORSaccess_control_allow_methods
: This indicates the allowed methods for CORSaccess_control_allow_origins
: This indicates the allowed origins for CORSauth_backend
: According to the docs a few options can be in place to configure who can access to the API:airflow.api.auth.backend.deny_all
: By default nobody can access the APIairflow.api.auth.backend.default
: Everyone can access it without authenticationairflow.api.auth.backend.kerberos_auth
: To configure kerberos authenticationairflow.api.auth.backend.basic_auth
: For basic authenticationairflow.composer.api.backend.composer_auth
: Uses composers authentication (GCP) (from here).composer_auth_user_registration_role
: This indicates the role the composer user will get inside airflow (Op by default).
- You can also create you own authentication method with python.
google_key_path
: Path to the GCP service account key
password
: Atlas passwordusername
: Atlas username
flower_basic_auth
: Credentials (user1:password1,user2:password2)result_backend
: Postgres url which may contain credentials.ssl_cacert
: Path to the cacertssl_cert
: Path to the certssl_key
: Path to the key
dag_discovery_safe_mode
: Enabled by default. When discovering DAGs, ignore any files that don’t contain the stringsDAG
andairflow
.fernet_key
: Key to store encrypted variables (symmetric)hide_sensitive_var_conn_fields
: Enabled by default, hide sensitive info of connections.security
: What security module to use (for example kerberos)
tls_ca
: Path to catls_cert
: Part to the certtls_key
: Part to the tls key
ccache
: Path to ccache fileforwardable
: Enabled by default
google_key_path
: Path to GCP JSON creds.
backend
: Full class name of secrets backend to enablebackend_kwargs
: The backend_kwargs param is loaded into a dictionary and passed to init of secrets backend class.
smtp_password
: SMTP passwordsmtp_user
: SMTP user
cookie_samesite
: By default it's Lax, so it's already the weakest possible valuecookie_secure
: Set secure flag on the the session cookieexpose_config
: By default is False, if true, the config can be read from the web consoleexpose_stacktrace
: By default it's True, it will show python tracebacks (potentially useful for an attacker)secret_key
: This is the key used by flask to sign the cookies (if you have this you can impersonate any user in Airflow)web_server_ssl_cert
: Path to the SSL certweb_server_ssl_key
: Path to the SSL Keyx_frame_enabled
: Default is True, so by default clickjacking isn't possible
By default web authentication is specified in the file webserver_config.py
and is configured as
AUTH_TYPE = AUTH_DB
Which means that the authentication is checked against the database. However, other configurations are possible like
AUTH_TYPE = AUTH_OAUTH
To leave the authentication to third party services.
However, there is also an option to allow anonymous users access, setting the following parameter to the desired role:
AUTH_ROLE_PUBLIC = 'Admin'
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.