You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/12/16 19:05:01 UTC
[GitHub] [airflow] carlsonp opened a new issue, #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
carlsonp opened a new issue, #28414:
URL: https://github.com/apache/airflow/issues/28414
### Apache Airflow version
2.5.0
### What happened
I have a docker-compose local install of Airflow. When I go to login using LDAP, I get an error message: `The CSRF session token is missing`. It's trying to `POST` to a `/login/` endpoint. When I look at the request being submitted via my browser developer console, I see a value being set as part of the payload:
```
csrf_token=redacted&username=myuser&password=secret
```
I **don't** have an issue with Airflow `2.3.3`. I've tested it with other versions such as `2.3.4`, `2.4.3`, and `2.5.0` and they all exhibit the same issue.
Based on searching, some people talk about ensuring a common secret key is set to ensure communication between the Webserver and the Worker nodes. I've tried setting the following environment variables in my docker-compose as part of the startup. This didn't appear to fix the issue. I also tried setting the number of workers to 1.
```
AIRFLOW__LOGGING__LOGGING_LEVEL: DEBUG
# https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#workers
# https://github.com/apache/airflow/issues/23512#issuecomment-1276644397
AIRFLOW__WEBSERVER__WORKERS: 1
# https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#auth-backends
# allows all requests to hit the API
AIRFLOW__API__AUTH_BACKENDS: 'airflow.api.auth.backend.default,airflow.api.auth.backend.session'
# https://stackoverflow.com/questions/68889419/csrf-session-token-is-missing-in-airflow
AIRFLOW__WEBSERVER__SECRET_KEY: 'superdupersecret'
```
### What you think should happen instead
I should be able to login and get to the DAG screen.
### How to reproduce
I have the following `webserver_config.py` file that works with Airflow `2.3.3`.
```
import os
from flask_appbuilder.security.manager import AUTH_LDAP
# The authentication type
AUTH_TYPE = AUTH_LDAP
# Will allow user self registration
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_LDAP_SERVER = "ldaps://redacted"
AUTH_LDAP_BIND_USER = "CN=" + os.environ['LDAP_USER'] + ",CN=Users,DC=redacted,DC=redacted,DC=redacted"
AUTH_LDAP_BIND_PASSWORD = os.environ['LDAP_PASSWORD']
AUTH_LDAP_SEARCH = "CN=Users,DC=redacted,DC=redacted,DC=redacted"
AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=" + os.environ['LDAP_SECURITY_METAGROUP'] + ",CN=Users,DC=redacted,DC=redacted,DC=redacted)"
AUTH_LDAP_UID_FIELD = "sAMAccountName"
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTTNAME_FIELD = "sn"
# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
```
This [discussion post](https://github.com/apache/airflow/discussions/26870) is *exactly* what I am experiencing. They mentioned adjusting `webserver_config.py`. Based on [the default config file in the repo](https://github.com/apache/airflow/blob/main/airflow/config_templates/default_webserver_config.py), I have made adjustments to the file.
```
import os
from flask_appbuilder.security.manager import AUTH_LDAP
from airflow.www.fab_security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(__file__))
# I've tried enabling and disabling every combination of these two variables
#CSRF_ENABLED = True
#WTF_CSRF_ENABLED = True
# The authentication type
AUTH_TYPE = AUTH_LDAP
...
```
This still doesn't work for me.
I'm not sure what else to try. [This change](https://github.com/apache/airflow/commit/48d4c5da19217174c8996b2882bb71f40381ae2c) seemed to make adjustments to the underlying FAB security system. However, I can't find any examples in the official documentation or elsewhere for *new* working LDAP examples.
Thank you.
### Operating System
Linux (Ubuntu) within container
### Versions of Apache Airflow Providers
_No response_
### Deployment
Docker-Compose
### Deployment details
docker-compose on Windows
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] carlsonp commented on issue #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
Posted by GitBox <gi...@apache.org>.
carlsonp commented on issue #28414:
URL: https://github.com/apache/airflow/issues/28414#issuecomment-1379360000
You're a lifesaver, thank you. Setting the [AIRFLOW__WEBSERVER__SESSION_BACKEND](https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#session-backend) environment variable to `securecookie` as a workaround addressed the issue for me. I tested with Airflow `2.4.3`.
This still seems like a bug to me though as the default `database` session doesn't appear to be working.
If I can help in any further way for testing let me know. Thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #28414:
URL: https://github.com/apache/airflow/issues/28414#issuecomment-1379370292
> This still seems like a bug to me though as the default `database` session doesn't appear to be working.
Quite agree. I just raised awareness of it - I hope - at Airflow Slack and hopefully someone will who have more knowledge about this will pick it, the https://github.com/apache/airflow/issues/28859 is the open issue for that.
Also the good thing is that we have now at least few confirmations that using`securecookie` solves the problem. And a good thing is that if we repeat it long enough, people might be able to find the workaround.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #28414:
URL: https://github.com/apache/airflow/issues/28414#issuecomment-1379372308
Closing as essentially duplicate of #28859 - let's keep one issue opened for it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #28414:
URL: https://github.com/apache/airflow/issues/28414#issuecomment-1379158191
I think the problem might be `PERMANENT_SESSION_LIFETIME`. You can try to implements workarounds mentioned in #28859 and #28373 (look there for details)
Related issues:
* https://github.com/apache/airflow/discussions/28098
* https://github.com/apache/airflow/discussions/28769
* https://github.com/apache/airflow/discussions/28099
* https://github.com/apache/airflow/discussions/27861
* https://github.com/apache/airflow/issues/28859
* https://github.com/apache/airflow/issues/28373
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] carlsonp closed issue #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
Posted by GitBox <gi...@apache.org>.
carlsonp closed issue #28414: Airflow >= 2.3.4: The CSRF session token is missing upon login
URL: https://github.com/apache/airflow/issues/28414
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org