From a6c2f37de29c66f377719df0965e49b7d0a63de4 Mon Sep 17 00:00:00 2001
From: Vincent <97131062+vincbeck@users.noreply.github.com>
Date: Fri, 18 Oct 2024 12:49:00 -0400
Subject: [PATCH] Remove `default` as auth backend (#43096)

---
 airflow/api/__init__.py                 |  8 ++---
 airflow/api/auth/backend/default.py     | 42 -------------------------
 airflow/config_templates/config.yml     |  5 ++-
 airflow/config_templates/unit_tests.cfg |  2 +-
 airflow/configuration.py                | 10 +++---
 airflow/www/extensions/init_security.py |  8 ++---
 newsfragments/43096.significant.rst     |  1 +
 tests/core/test_configuration.py        |  2 +-
 8 files changed, 14 insertions(+), 64 deletions(-)
 delete mode 100644 airflow/api/auth/backend/default.py
 create mode 100644 newsfragments/43096.significant.rst

diff --git a/airflow/api/__init__.py b/airflow/api/__init__.py
index d0613bb651fa..10c1ce6cea3c 100644
--- a/airflow/api/__init__.py
+++ b/airflow/api/__init__.py
@@ -23,18 +23,14 @@
 from importlib import import_module
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowConfigException, AirflowException
+from airflow.exceptions import AirflowException
 
 log = logging.getLogger(__name__)
 
 
 def load_auth():
     """Load authentication backends."""
-    auth_backends = "airflow.api.auth.backend.default"
-    try:
-        auth_backends = conf.get("api", "auth_backends")
-    except AirflowConfigException:
-        pass
+    auth_backends = conf.get("api", "auth_backends")
 
     backends = []
     try:
diff --git a/airflow/api/auth/backend/default.py b/airflow/api/auth/backend/default.py
deleted file mode 100644
index afe2c88f35f0..000000000000
--- a/airflow/api/auth/backend/default.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-"""Default authentication backend - everything is allowed."""
-
-from __future__ import annotations
-
-from functools import wraps
-from typing import Any, Callable, TypeVar, cast
-
-CLIENT_AUTH: tuple[str, str] | Any | None = None
-
-
-def init_app(_):
-    """Initialize authentication backend."""
-
-
-T = TypeVar("T", bound=Callable)
-
-
-def requires_authentication(function: T):
-    """Decorate functions that require authentication."""
-
-    @wraps(function)
-    def decorated(*args, **kwargs):
-        return function(*args, **kwargs)
-
-    return cast(T, decorated)
diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 0be77a3b6829..b7c810cfe516 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -1377,12 +1377,11 @@ api:
       description: |
         Comma separated list of auth backends to authenticate users of the API. See
         `Security: API
-        <https://airflow.apache.org/docs/apache-airflow/stable/security/api.html>`__ for possible values.
-        ("airflow.api.auth.backend.default" allows all requests for historic reasons)
+        <https://airflow.apache.org/docs/apache-airflow/stable/security/api.html>`__ for possible values
       version_added: 2.3.0
       type: string
       example: ~
-      default: "airflow.api.auth.backend.session"
+      default: "airflow.providers.fab.auth_manager.api.auth.backend.session"
     maximum_page_limit:
       description: |
         Used to set the maximum page limit for API requests. If limit passed as param
diff --git a/airflow/config_templates/unit_tests.cfg b/airflow/config_templates/unit_tests.cfg
index 27134c721821..b29c642afe77 100644
--- a/airflow/config_templates/unit_tests.cfg
+++ b/airflow/config_templates/unit_tests.cfg
@@ -71,7 +71,7 @@ celery_logging_level = INFO
 smtp_mail_from = airflow@example.com
 
 [api]
-auth_backends = airflow.api.auth.backend.default
+auth_backends = airflow.providers.fab.auth_manager.api.auth.backend.session
 
 [hive]
 # Hive uses the configuration below to run the tests
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 81dc18365392..e59b5b5e9ec1 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -670,11 +670,11 @@ def _upgrade_auth_backends(self):
         This is required by the UI for ajax queries.
         """
         old_value = self.get("api", "auth_backends", fallback="")
-        if old_value in ("airflow.api.auth.backend.default", ""):
-            # handled by deprecated_values
-            pass
-        elif old_value.find("airflow.api.auth.backend.session") == -1:
-            new_value = old_value + ",airflow.api.auth.backend.session"
+        if (
+            old_value.find("airflow.api.auth.backend.session") == -1
+            and old_value.find("airflow.providers.fab.auth_manager.api.auth.backend.session") == -1
+        ):
+            new_value = old_value + ",airflow.providers.fab.auth_manager.api.auth.backend.session"
             self._update_env_var(section="api", name="auth_backends", new_value=new_value)
             self.upgraded_values[("api", "auth_backends")] = old_value
 
diff --git a/airflow/www/extensions/init_security.py b/airflow/www/extensions/init_security.py
index 28e96a06ca85..76b2944c47b1 100644
--- a/airflow/www/extensions/init_security.py
+++ b/airflow/www/extensions/init_security.py
@@ -20,7 +20,7 @@
 from importlib import import_module
 
 from airflow.configuration import conf
-from airflow.exceptions import AirflowConfigException, AirflowException
+from airflow.exceptions import AirflowException
 
 log = logging.getLogger(__name__)
 
@@ -46,11 +46,7 @@ def apply_caching(response):
 
 def init_api_auth(app):
     """Load authentication backends."""
-    auth_backends = "airflow.api.auth.backend.default"
-    try:
-        auth_backends = conf.get("api", "auth_backends")
-    except AirflowConfigException:
-        pass
+    auth_backends = conf.get("api", "auth_backends")
 
     app.api_auth = []
     try:
diff --git a/newsfragments/43096.significant.rst b/newsfragments/43096.significant.rst
new file mode 100644
index 000000000000..b252e39916c0
--- /dev/null
+++ b/newsfragments/43096.significant.rst
@@ -0,0 +1 @@
+Removed auth backend ``airflow.api.auth.backend.default``
diff --git a/tests/core/test_configuration.py b/tests/core/test_configuration.py
index 20109c6cd29b..096b55e0f8e6 100644
--- a/tests/core/test_configuration.py
+++ b/tests/core/test_configuration.py
@@ -664,7 +664,7 @@ def test_auth_backends_adds_session(self):
                 test_conf.validate()
                 assert (
                     test_conf.get("api", "auth_backends")
-                    == "airflow.providers.fab.auth_manager.api.auth.backend.basic_auth,airflow.api.auth.backend.session"
+                    == "airflow.providers.fab.auth_manager.api.auth.backend.basic_auth,airflow.providers.fab.auth_manager.api.auth.backend.session"
                 )
 
     def test_command_from_env(self):