You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/03/16 10:47:05 UTC
[GitHub] [airflow] jakubgs opened a new issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
jakubgs opened a new issue #14829:
URL: https://github.com/apache/airflow/issues/14829
**Apache Airflow version**:
`2.0.1` but with a hack to make GitHub role based oauth work by installing `flask-appbuilder==3.2.0` to get better OAuth.
**Environment**:
- **Cloud provider or hardware configuration**:
- **OS**: Ubuntu 20.04.2
- **Kernel**: `5.4.0-66-generic x86_64`
- **Install tools**:
- **Others**:
**What happened**:
After removing via web UI a user created by my OAuth integration implemented by inheriting from `AirflowSecurityManager` I was greeted by a redirect loop:
```
This page isn’t working
airflow.example.org redirected you too many times.
Try clearing your cookies.
ERR_TOO_MANY_REDIRECTS
```
Which can be seen in the logs:
```
"GET /home HTTP/1.0" 302 321 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
"GET /login/?next=https%3A%2F%2Fairflow.example.org%2Fhome HTTP/1.0" 302 209 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
"GET / HTTP/1.0" 302 217 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
"GET /home HTTP/1.0" 302 321 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
"GET /login/?next=https%3A%2F%2Fairflow.example.org%2Fhome HTTP/1.0" 302 209 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
"GET / HTTP/1.0" 302 217 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
"GET /home HTTP/1.0" 302 321 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
...
```
As far as I can tell the issue is the `Provder: None` part, since when I try to log in as another user which was not removed I can see the provider is correctly detected:
```
DEBUG - Provider: github
DEBUG - Going to call authorize for: github
```
**What you expected to happen**:
Login to work as before.
**How to reproduce it**:
I have implemented OAuth GitHub mapping of user teams to Airflow roles like so:
```python
AUTH_ROLES_MAPPING = {
"devs": ["Viewer"],
"analists": ["User"],
"devops": ["Admin"],
}
class GitHubAirflowSecurityManager(AirflowSecurityManager):
def oauth_user_info(self, provider, resp):
assert provider == 'github'
api = self.appbuilder.sm.oauth_remotes[provider]
user = api.get('user').json()
teams = api.get('user/teams').json()
# email field can't be empty
fake_email = "%s@example.org" % user.get("login")
data = {
"username": user.get("login"),
"email": user.get("email") or fake_email,
"first_name": user.get("name", ""),
"last_name": user.get("family_name", ""),
"role_keys": [t.get("slug") for t in teams],
}
return data
SECURITY_MANAGER_CLASS = GitHubAirflowSecurityManager
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
ashb commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-810954537
@jakubgs ⚠️ the "Public" role applies to anonmyous users too -- so _any_ request that can reach your Airflow webserver will have the roles of the Public user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs edited a comment on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs edited a comment on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800209737
Also, I identified why my user was getting the `Public` role. It's because I was using a custom `Dockerfile` to apply 3 fixes:
```Dockerfile
FROM apache/airflow:2.0.1
# We need this for GitHub OAuth via FAB
RUN pip install authlib
# HACK: Necessary before v2.0.2 is out.
# https://github.com/apache/airflow/pull/14665
RUN pip install flask-appbuilder==3.2.0
# HACK: Fix for `Exception when importing` warnings.
# https://github.com/apache/airflow/issues/14266
RUN pip install -U azure-storage-blob apache-airflow-providers-microsoft-azure==1.1.0
```
But using multiple `pip install` commands causes it to undo the installation of `flask-appbuilder==3.2.0`, so I've changed it to:
```Dockerfile
FROM apache/airflow:2.0.1
# WARNING: Has to be done as one command, or pip will uninstall packages.
RUN pip install \
# We need this for GitHub OAuth via FAB
authlib \
# HACK: Necessary before v2.0.2 is out.
# https://github.com/apache/airflow/pull/14665
flask-appbuilder==3.2.0 \
# HACK: Fix for `Exception when importing` warnings.
# https://github.com/apache/airflow/issues/14266
azure-storage-blob apache-airflow-providers-microsoft-azure==1.1.0
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800158766
The difference with a user that can log in without a redirec loop is that after logging in the `/home` path doesn't return `302`:
```
DEBUG - Provider: github
DEBUG - Going to call authorize for: github
"GET /login/github?next=https://airflow.example.org/home HTTP/1.0" 302 945 "https://airflow.example.org/login/?next=https%3A%2F%2Fairflow.example.org%2Fhome"
DEBUG - Authorized init
DEBUG - OAUTH Authorized resp: {'access_token': '123qwe123qwe', 'token_type': 'bearer', 'scope': 'read:org,user:email'}
DEBUG - User info retrieved from github: {'username': 'jakubgs', 'email': 'jakub@gsokolowski.pl', 'first_name': 'Jakub', 'last_name': '', 'role_keys': ['devs', 'devops']}
DEBUG - No whitelist for OAuth provider
INFO - Updated user Airflow Admin
"GET /oauth-authorized/github?code=123qwe&state=123qwe123qwe HTTP/1.0" 302 279 "https://airflow.example.org/"
"GET /home HTTP/1.0" 200 56814
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800161963
Oh, I think it happens because the user exists, but it was given the `Public` role that has no permissions:
https://github.com/apache/airflow/blob/b40beb3036b8221053fdb7ab537a45afccf0bd8e/airflow/www/views.py#L453-L458
So it's logged in, but when it hits `/home` it lacks `ACTION_CAN_READ` and `RESOURCE_WEBSITE`, so it gets redirected to `/login`, but it's already logged in, so gets redirected back to `/home`, and so on.
Not a great user experience.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
ashb commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-810959713
```
RUN pip install flask-appbuilder~=3.2.0
```
Is the correct fix for this, and is an allowed version by the dep.
When the 2.0.2 image is out it will have this (well, 3.2.1)
So it looks like you've found the fix, and I'm going to close this issue -- let me know if there are any other problems.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs edited a comment on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs edited a comment on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800209737
Also, I identified why my user was getting the `Public` role. It's because I was using a custom `Dockerfile` to apply 3 fixes:
```Dockerfile
FROM apache/airflow:2.0.1
# We need this for GitHub OAuth via FAB
RUN pip install authlib
# HACK: Necessary before v2.0.2 is out.
# https://github.com/apache/airflow/pull/14665
RUN pip install flask-appbuilder==3.2.0
# HACK: Fix for `Exception when importing` warnings.
# https://github.com/apache/airflow/issues/14266
RUN pip install -U azure-storage-blob apache-airflow-providers-microsoft-azure==1.1.0
```
But using multiple `pip install` commands causes it to undo the installation of ``, so I've changed it to:
```Dockerfile
FROM apache/airflow:2.0.1
# WARNING: Has to be done as one command, or pip will uninstall packages.
RUN pip install \
# We need this for GitHub OAuth via FAB
authlib \
# HACK: Necessary before v2.0.2 is out.
# https://github.com/apache/airflow/pull/14665
flask-appbuilder==3.2.0 \
# HACK: Fix for `Exception when importing` warnings.
# https://github.com/apache/airflow/issues/14266
azure-storage-blob apache-airflow-providers-microsoft-azure==1.1.0
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800157018
After clearing cookies I can see that the first attempt does work, but then it goes into the redirect loop:
```
DEBUG - Provider: github
DEBUG - Going to call authorize for: github
"GET /login/github?next=https://airflow.example.org/home HTTP/1.0" 302 945 ...
DEBUG - Authorized init
DEBUG - OAUTH Authorized resp: {'access_token': '123qwe123qwe', 'token_type': 'bearer', 'scope': 'read:org,user:email'}
DEBUG - User info retrieved from github: {'username': 'test-user', 'email': 'test-user@airflow.example.org', 'first_name': 'TestUser', 'last_name': '', 'role_keys': ['devs']}
DEBUG - No whitelist for OAuth provider
INFO - Updated user TestUser
"GET /oauth-authorized/github?code=123qwe&state=123qwe123qwe123qwe HTTP/1.0" 302 279 ...
"GET /home HTTP/1.0" 302 321 ...
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
"GET /login/?next=https%3A%2F%2Fairflow.example.org%2Fhome HTTP/1.0" 302 209 ...
...
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] fredthomsen edited a comment on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
fredthomsen edited a comment on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-803293210
I uncovered this same issue with the same root cause when setting up LDAP authentication and having the `AUTH_USER_REGISTRATION_ROLE = "Public" ` (My `AUTH_ROLES_MAPPING` setting isn't working as I expect, so all users are getting the default of `Public`).
If a user has roles that grant no permissions what so ever, then returning an ugly plain 403 page seems like the proper behavior.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] fredthomsen edited a comment on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
fredthomsen edited a comment on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-803293210
I uncovered this same issue with the same root cause when setting up LDAP authentication and having the `AUTH_USER_REGISTRATION_ROLE = "Public" ` (My `AUTH_ROLES_MAPPING` setting isn't working as I expect, so all users are getting the default of `Public`).
If a user has roles that grant no permissions what so ever, then returning a 403 seems like the proper behavior.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] fredthomsen commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
fredthomsen commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-803293210
I uncovered this same issue with the same root cause when setting up LDAP authentication and having the `AUTH_USER_REGISTRATION_ROLE = "Public" `.
If a user has roles that grant no permissions what so ever, then returning a 403 seems like the proper behavior.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ashb closed issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
ashb closed issue #14829:
URL: https://github.com/apache/airflow/issues/14829
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] fredthomsen edited a comment on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
fredthomsen edited a comment on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-803293210
I uncovered this same issue with the same root cause when setting up LDAP authentication and having the `AUTH_USER_REGISTRATION_ROLE = "Public" ` (My `AUTH_ROLES_MAPPING` setting isn't working as I expect, so all users are getting the default of `Public`.
If a user has roles that grant no permissions what so ever, then returning a 403 seems like the proper behavior.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800209737
Also, I identified why my user was getting the `Public` role. It's because I was using a custom `Dockerfile` to apply 3 fixes:
```Dockerfile
FROM apache/airflow:2.0.1
# We need this for GitHub OAuth via FAB
RUN pip install authlib
# HACK: Necessary before v2.0.2 is out.
# https://github.com/apache/airflow/pull/14665
RUN pip install flask-appbuilder==3.2.0
# HACK: Fix for `Exception when importing` warnings.
# https://github.com/apache/airflow/issues/14266
RUN pip install -U azure-storage-blob apache-airflow-providers-microsoft-azure==1.1.0
```
But using multiple `pip install` commands causes it to undo the installation of ``, so I've changed it to:
```
FROM apache/airflow:2.0.1
# WARNING: Has to be done as one command, or pip will uninstall packages.
RUN pip install \
# We need this for GitHub OAuth via FAB
authlib \
# HACK: Necessary before v2.0.2 is out.
# https://github.com/apache/airflow/pull/14665
flask-appbuilder==3.2.0 \
# HACK: Fix for `Exception when importing` warnings.
# https://github.com/apache/airflow/issues/14266
azure-storage-blob apache-airflow-providers-microsoft-azure==1.1.0
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jakubgs commented on issue #14829: Removing a user and repeat OAuth login causes ERR_TOO_MANY_REDIRECTS
Posted by GitBox <gi...@apache.org>.
jakubgs commented on issue #14829:
URL: https://github.com/apache/airflow/issues/14829#issuecomment-800164872
Indeed, after adding `RESOURCE_WEBSITE`("can read on Website") to the `Public` role the redirect loop stops, instead I just get a lot of `Access is Denied`.
After adding the `ACTION_CAN_READ`("can read on DAGs") permission to the `Public` role the user can see the home page.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org