You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Lewis John McGibbney <le...@apache.org> on 2021/10/25 16:06:00 UTC

Airflow OAuth - "Access is denied"

Hi users@,
We have been working in migrating from LDAP authentication to OAuth Single Sign On. When a user logs in, they see a red prompt banner with the text "Access is denied". The user can simply click off of this banner and everything seems to work fine but this just looks weird. Has anyone else experienced this?
Thanks
lewismc

Re: Airflow OAuth - "Access is denied"

Posted by Fred Thomsen <me...@fredthomsen.net>.

I am wondering if anyone got any further on this? I am using LDAP authentication and I have the same issue. I have tried to reproduce this using breeze with the same LDAP configuration as I have in my extended airflow image, but interestingly I am not able too, so I am a bit confused.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, October 27th, 2021 at 11:04 PM, Kyle Nickl <kg...@gmail.com> wrote:

> I agree with Christian. I never saw that error recently until I removed "can read on Website" from the public role. For a while I added that to public role to prevent a redirect loop 502 which was occuring instead of the no access page for users with no roles or the public role. So that permission was added as temp work around until the redirect loop error was recently patched. And now I see this "Access is denied" immediately after logging in via oauth.
>
> On Wed, Oct 27, 2021 at 1:15 AM Christian Schilling <ch...@googlemail.com> wrote:
>
>> Hi Lewis,
>>
>> sorry for the late answer, but I didn't have time for investigating the issue yesterday. I took a look now.
>> I found the code where the alert is generated.
>> [https://github.com/apache/airflow/blob/main/airflow/www/](https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html)auth.py
>>
>> There the authorization is checked. I followed the code there. My thought is that when you call the airflow root first without permissions, this alert is generated. Then you are redirected in the OAuth Flow until you get back to the view with permissions, but the alert isn't deleted.
>>
>> What do you think.
>>
>> Chris
>>
>> Christian Schilling <ch...@googlemail.com> schrieb am Mo., 25. Okt. 2021, 18:35:
>>
>>> Hi Lewis,
>>>
>>> ok cool, thanks. If we find where the rendering is triggered, it helps to find the root cause or at least to understand the process. Maybe I can have a look at it tomorrow :)
>>>
>>> Chris
>>>
>>> Lewis John McGibbney <le...@apache.org> schrieb am Mo., 25. Okt. 2021, 18:31:
>>>
>>>> Hi Christian,
>>>>
>>>> On 2021/10/25 16:23:47, Christian Schilling <ch...@googlemail.com> wrote:
>>>>> Does anyone know where the alert is
>>>>> generated?
>>>>
>>>> https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html seems to be the dynamically rendered code block... I have no idea how to even debug the code execution though. I am not a front end developer.
>>>>
>>>> lewismc

Re: Airflow OAuth - "Access is denied"

Posted by Kyle Nickl <kg...@gmail.com>.

I agree with Christian. I never saw that error recently until I removed
"can read on Website" from the public role. For a while I added that to
public role to prevent a redirect loop 502 which was occuring instead of
the no access page for users with no roles or the public role. So that
permission was added as temp work around until the redirect loop error was
recently patched. And now I see this "Access is denied" immediately after
logging in via oauth.

On Wed, Oct 27, 2021 at 1:15 AM Christian Schilling <
christian.lellmann@googlemail.com> wrote:

> Hi Lewis,
>
> sorry for the late answer, but I didn't have time for investigating the
> issue yesterday. I took a look now.
> I found the code where the alert is generated.
> https://github.com/apache/airflow/blob/main/airflow/www/
> <https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html>
> auth.py
>
> There the authorization is checked. I followed the code there. My thought
> is that when you call the airflow root first without permissions, this
> alert is generated. Then you are redirected in the OAuth Flow until you get
> back to the view with permissions, but the alert isn't deleted.
>
> What do you think.
>
> Chris
>
> Christian Schilling <ch...@googlemail.com> schrieb am Mo.,
> 25. Okt. 2021, 18:35:
>
>> Hi Lewis,
>>
>> ok cool, thanks. If we find where the rendering is triggered, it helps to
>> find the root cause or at least to understand the process. Maybe I can have
>> a look at it tomorrow :)
>>
>> Chris
>>
>>
>> Lewis John McGibbney <le...@apache.org> schrieb am Mo., 25. Okt. 2021,
>> 18:31:
>>
>>> Hi Christian,
>>>
>>> On 2021/10/25 16:23:47, Christian Schilling <
>>> christian.lellmann@googlemail.com> wrote:
>>> > Does anyone know where the alert is
>>> > generated?
>>>
>>>
>>> https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html
>>> seems to be the dynamically rendered code block... I have no idea how to
>>> even debug the code execution though. I am not a front end developer.
>>>
>>> lewismc
>>>
>>

Re: Airflow OAuth - "Access is denied"

Posted by Christian Schilling <ch...@googlemail.com>.

Hi Lewis,

sorry for the late answer, but I didn't have time for investigating the
issue yesterday. I took a look now.
I found the code where the alert is generated.
https://github.com/apache/airflow/blob/main/airflow/www/
<https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html>
auth.py

There the authorization is checked. I followed the code there. My thought
is that when you call the airflow root first without permissions, this
alert is generated. Then you are redirected in the OAuth Flow until you get
back to the view with permissions, but the alert isn't deleted.

What do you think.

Chris

Christian Schilling <ch...@googlemail.com> schrieb am Mo., 25.
Okt. 2021, 18:35:

> Hi Lewis,
>
> ok cool, thanks. If we find where the rendering is triggered, it helps to
> find the root cause or at least to understand the process. Maybe I can have
> a look at it tomorrow :)
>
> Chris
>
>
> Lewis John McGibbney <le...@apache.org> schrieb am Mo., 25. Okt. 2021,
> 18:31:
>
>> Hi Christian,
>>
>> On 2021/10/25 16:23:47, Christian Schilling <
>> christian.lellmann@googlemail.com> wrote:
>> > Does anyone know where the alert is
>> > generated?
>>
>>
>> https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html
>> seems to be the dynamically rendered code block... I have no idea how to
>> even debug the code execution though. I am not a front end developer.
>>
>> lewismc
>>
>

Re: Airflow OAuth - "Access is denied"

Posted by Christian Schilling <ch...@googlemail.com>.

Hi Lewis,

ok cool, thanks. If we find where the rendering is triggered, it helps to
find the root cause or at least to understand the process. Maybe I can have
a look at it tomorrow :)

Chris


Lewis John McGibbney <le...@apache.org> schrieb am Mo., 25. Okt. 2021,
18:31:

> Hi Christian,
>
> On 2021/10/25 16:23:47, Christian Schilling <
> christian.lellmann@googlemail.com> wrote:
> > Does anyone know where the alert is
> > generated?
>
>
> https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html
> seems to be the dynamically rendered code block... I have no idea how to
> even debug the code execution though. I am not a front end developer.
>
> lewismc
>

Re: Airflow OAuth - "Access is denied"

Posted by Lewis John McGibbney <le...@apache.org>.

Hi Christian,

On 2021/10/25 16:23:47, Christian Schilling <ch...@googlemail.com> wrote: 
> Does anyone know where the alert is
> generated?

https://github.com/apache/airflow/blob/main/airflow/www/templates/airflow/_messages.html seems to be the dynamically rendered code block... I have no idea how to even debug the code execution though. I am not a front end developer.

lewismc

Re: Airflow OAuth - "Access is denied"

Posted by Christian Schilling <ch...@googlemail.com>.

Hi Lewis,

I think so too, that it is a bug. I also didn't find the root cause so far.
The OAuth Flow is done by the flask-appbuilder, but I'm not sure when and
where exactly this error is raised. If it is a problem in the
flask-appbuilder or in airflow code. Does anyone know where the alert is
generated?

Chris

Lewis John McGibbney <le...@apache.org> schrieb am Mo., 25. Okt. 2021,
18:12:

> Hi Christian,
> WOW that was quick ;)
>
> On 2021/10/25 16:09:45, Christian Schilling <
> christian.lellmann@googlemail.com> wrote:
>
> > yes, I experienced the same during the first sign in. Then after clicking
> > it away, it doesn't come again when signing on.
>
> That's the exact same as we experience. If the token is still valid then
> the message is not there. It does however appear again upon ever new
> signin. I think this is a bug but I am not sure how to really investigate
> it.
>
> lewismc
>

Re: Airflow OAuth - "Access is denied"

Posted by Lewis John McGibbney <le...@apache.org>.

Hi Christian,
WOW that was quick ;)

On 2021/10/25 16:09:45, Christian Schilling <ch...@googlemail.com> wrote: 

> yes, I experienced the same during the first sign in. Then after clicking
> it away, it doesn't come again when signing on.

That's the exact same as we experience. If the token is still valid then the message is not there. It does however appear again upon ever new signin. I think this is a bug but I am not sure how to really investigate it.

lewismc

Re: Airflow OAuth - "Access is denied"

Posted by Christian Schilling <ch...@googlemail.com>.

Hi all,

yes, I experienced the same during the first sign in. Then after clicking
it away, it doesn't come again when signing on.

Best,

Chris

Lewis John McGibbney <le...@apache.org> schrieb am Mo., 25. Okt. 2021,
18:06:

> Hi users@,
> We have been working in migrating from LDAP authentication to OAuth Single
> Sign On. When a user logs in, they see a red prompt banner with the text
> "Access is denied". The user can simply click off of this banner and
> everything seems to work fine but this just looks weird. Has anyone else
> experienced this?
> Thanks
> lewismc
>