gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-07 02:03:45 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
View File

@@ -1,115 +1,105 @@
# Airflow Configuration
# Airflow Konfigurasie
{{#include ../../banners/hacktricks-training.md}}
## Configuration File
## Konfigurasie Lêer
**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
**Apache Airflow** genereer 'n **konfigurasie lêer** in al die airflow masjiene genaamd **`airflow.cfg`** in die huis van die airflow gebruiker. Hierdie konfigurasie lêer bevat konfigurasie-inligting en **kan interessante en sensitiewe inligting bevat.**
**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
**Daar is twee maniere om toegang tot hierdie lêer te verkry: Deur 'n paar airflow masjiene te kompromitteer, of deur toegang tot die webkonsol.**
Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
Let daarop dat die **waardes binne die konfigurasie lêer** **nie diegene mag wees wat gebruik word nie**, aangesien jy dit kan oorskryf deur omgewingsveranderlikes soos `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'` in te stel.
If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
If you have **access to some machine inside the airflow env**, check the **environment**.
As jy toegang het tot die **konfigurasie lêer in die webbediener**, kan jy die **werklike lopende konfigurasie** op dieselfde bladsy waar die konfigurasie vertoon word, nagaan.\
As jy **toegang het tot 'n paar masjiene binne die airflow omgewing**, kyk na die **omgewing**.
Some interesting values to check when reading the config file:
Sommige interessante waardes om na te kyk wanneer jy die konfigurasie lêer lees:
### \[api]
- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
- `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
- `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
- `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
- `airflow.api.auth.backend.basic_auth`: For **basic authentication**
- `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
- `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
- You can also **create you own authentication** method with python.
- **`google_key_path`:** Path to the **GCP service account key**
- **`access_control_allow_headers`**: Dit dui die **toegelate** **koppe** vir **CORS** aan
- **`access_control_allow_methods`**: Dit dui die **toegelate metodes** vir **CORS** aan
- **`access_control_allow_origins`**: Dit dui die **toegelate oorspronge** vir **CORS** aan
- **`auth_backend`**: [**Volgens die dokumentasie**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) kan 'n paar opsies in plek wees om te konfigureer wie toegang tot die API kan hê:
- `airflow.api.auth.backend.deny_all`: **Standaard kan niemand** toegang tot die API hê nie
- `airflow.api.auth.backend.default`: **Enigiemand kan** toegang hê sonder verifikasie
- `airflow.api.auth.backend.kerberos_auth`: Om **kerberos-verifikasie** te konfigureer
- `airflow.api.auth.backend.basic_auth`: Vir **basiese verifikasie**
- `airflow.composer.api.backend.composer_auth`: Gebruik komponiste se verifikasie (GCP) (van [**hier**](https://cloud.google.com/composer/docs/access-airflow-api)).
- `composer_auth_user_registration_role`: Dit dui die **rol** aan wat die **komponiste gebruiker** binne **airflow** sal kry (**Op** standaard).
- Jy kan ook jou eie **verifikasie** metode met python skep.
- **`google_key_path`:** Pad na die **GCP diensrekening sleutel**
### **\[atlas]**
- **`password`**: Atlas password
- **`username`**: Atlas username
- **`password`**: Atlas wagwoord
- **`username`**: Atlas gebruikersnaam
### \[celery]
- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
- **`result_backend`**: Postgres url which may contain **credentials**.
- **`ssl_cacert`**: Path to the cacert
- **`ssl_cert`**: Path to the cert
- **`ssl_key`**: Path to the key
- **`flower_basic_auth`** : Kredensiale (_user1:password1,user2:password2_)
- **`result_backend`**: Postgres url wat **kredensiale** kan bevat.
- **`ssl_cacert`**: Pad na die cacert
- **`ssl_cert`**: Pad na die sertifikaat
- **`ssl_key`**: Pad na die sleutel
### \[core]
- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that dont contain the strings `DAG` and `airflow`.
- **`fernet_key`**: Key to store encrypted variables (symmetric)
- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
- **`security`**: What security module to use (for example kerberos)
- **`dag_discovery_safe_mode`**: Geaktiveer deur standaard. Wanneer DAGs ontdek word, ignoreer enige lêers wat nie die strings `DAG` en `airflow` bevat nie.
- **`fernet_key`**: Sleutel om versleutelde veranderlikes te stoor (simmetries)
- **`hide_sensitive_var_conn_fields`**: Geaktiveer deur standaard, verberg sensitiewe inligting van verbindings.
- **`security`**: Watter sekuriteitsmodule om te gebruik (byvoorbeeld kerberos)
### \[dask]
- **`tls_ca`**: Path to ca
- **`tls_cert`**: Part to the cert
- **`tls_key`**: Part to the tls key
- **`tls_ca`**: Pad na ca
- **`tls_cert`**: Pad na die sertifikaat
- **`tls_key`**: Pad na die tls sleutel
### \[kerberos]
- **`ccache`**: Path to ccache file
- **`forwardable`**: Enabled by default
- **`ccache`**: Pad na ccache lêer
- **`forwardable`**: Geaktiveer deur standaard
### \[logging]
- **`google_key_path`**: Path to GCP JSON creds.
- **`google_key_path`**: Pad na GCP JSON kredensiale.
### \[secrets]
- **`backend`**: Full class name of secrets backend to enable
- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
- **`backend`**: Volledige klasnaam van die secrets backend om te aktiveer
- **`backend_kwargs`**: Die backend_kwargs parameter word in 'n woordeboek gelaai en aan **init** van die secrets backend klas oorgedra.
### \[smtp]
- **`smtp_password`**: SMTP password
- **`smtp_user`**: SMTP user
- **`smtp_password`**: SMTP wagwoord
- **`smtp_user`**: SMTP gebruiker
### \[webserver]
- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
- **`cookie_secure`**: Set **secure flag** on the the session cookie
- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
- **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
- **`cookie_samesite`**: Standaard is dit **Lax**, so dit is reeds die swakste moontlike waarde
- **`cookie_secure`**: Stel **veilige vlag** op die sessie koekie
- **`expose_config`**: Standaard is dit Vals, as waar, kan die **konfigurasie** **gelees** word vanaf die web **konsol**
- **`expose_stacktrace`**: Standaard is dit Waar, dit sal **python tracebacks** vertoon (potensieel nuttig vir 'n aanvaller)
- **`secret_key`**: Dit is die **sleutel wat deur flask gebruik word om die koekies te teken** (as jy dit het, kan jy **enige gebruiker in Airflow naboots**)
- **`web_server_ssl_cert`**: **Pad** na die **SSL** **sertifikaat**
- **`web_server_ssl_key`**: **Pad** na die **SSL** **Sleutel**
- **`x_frame_enabled`**: Standaard is **Waar**, so klikjacking is nie moontlik nie
### Web Authentication
By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
### Web Verifikasie
Standaard word **web verifikasie** in die lêer **`webserver_config.py`** gespesifiseer en is geconfigureer as
```bash
AUTH_TYPE = AUTH_DB
```
Which means that the **authentication is checked against the database**. However, other configurations are possible like
Wat beteken dat die **authentisering teen die databasis nagegaan word**. egter, ander konfigurasies is moontlik soos
```bash
AUTH_TYPE = AUTH_OAUTH
```
Om die **verifikasie aan derdeparty-dienste** oor te laat.
To leave the **authentication to third party services**.
However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
Daar is egter ook 'n opsie om **anonieme gebruikers toegang** te gee, deur die volgende parameter op die **gewenste rol** in te stel:
```bash
AUTH_ROLE_PUBLIC = 'Admin'
```
{{#include ../../banners/hacktricks-training.md}}