carlsonp opened a new issue, #28414: URL: https://github.com/apache/airflow/issues/28414
### Apache Airflow version 2.5.0 ### What happened I have a docker-compose local install of Airflow. When I go to login using LDAP, I get an error message: `The CSRF session token is missing`. It's trying to `POST` to a `/login/` endpoint. When I look at the request being submitted via my browser developer console, I see a value being set as part of the payload: ``` csrf_token=redacted&username=myuser&password=secret ``` I **don't** have an issue with Airflow `2.3.3`. I've tested it with other versions such as `2.3.4`, `2.4.3`, and `2.5.0` and they all exhibit the same issue. Based on searching, some people talk about ensuring a common secret key is set to ensure communication between the Webserver and the Worker nodes. I've tried setting the following environment variables in my docker-compose as part of the startup. This didn't appear to fix the issue. I also tried setting the number of workers to 1. ``` AIRFLOW__LOGGING__LOGGING_LEVEL: DEBUG # https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#workers # https://github.com/apache/airflow/issues/23512#issuecomment-1276644397 AIRFLOW__WEBSERVER__WORKERS: 1 # https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#auth-backends # allows all requests to hit the API AIRFLOW__API__AUTH_BACKENDS: 'airflow.api.auth.backend.default,airflow.api.auth.backend.session' # https://stackoverflow.com/questions/68889419/csrf-session-token-is-missing-in-airflow AIRFLOW__WEBSERVER__SECRET_KEY: 'superdupersecret' ``` ### What you think should happen instead I should be able to login and get to the DAG screen. ### How to reproduce I have the following `webserver_config.py` file that works with Airflow `2.3.3`. ``` import os from flask_appbuilder.security.manager import AUTH_LDAP # The authentication type AUTH_TYPE = AUTH_LDAP # Will allow user self registration AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = "Admin" AUTH_LDAP_SERVER = "ldaps://redacted" AUTH_LDAP_BIND_USER = "CN=" + os.environ['LDAP_USER'] + ",CN=Users,DC=redacted,DC=redacted,DC=redacted" AUTH_LDAP_BIND_PASSWORD = os.environ['LDAP_PASSWORD'] AUTH_LDAP_SEARCH = "CN=Users,DC=redacted,DC=redacted,DC=redacted" AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=" + os.environ['LDAP_SECURITY_METAGROUP'] + ",CN=Users,DC=redacted,DC=redacted,DC=redacted)" AUTH_LDAP_UID_FIELD = "sAMAccountName" AUTH_LDAP_FIRSTNAME_FIELD = "givenName" AUTH_LDAP_LASTTNAME_FIELD = "sn" # if we should replace ALL the user's roles each login, or only on registration AUTH_ROLES_SYNC_AT_LOGIN = True # force users to re-auth after 30min of inactivity (to keep roles in sync) PERMANENT_SESSION_LIFETIME = 1800 ``` This [discussion post](https://github.com/apache/airflow/discussions/26870) is *exactly* what I am experiencing. They mentioned adjusting `webserver_config.py`. Based on [the default config file in the repo](https://github.com/apache/airflow/blob/main/airflow/config_templates/default_webserver_config.py), I have made adjustments to the file. ``` import os from flask_appbuilder.security.manager import AUTH_LDAP from airflow.www.fab_security.manager import AUTH_LDAP basedir = os.path.abspath(os.path.dirname(__file__)) # I've tried enabling and disabling every combination of these two variables #CSRF_ENABLED = True #WTF_CSRF_ENABLED = True # The authentication type AUTH_TYPE = AUTH_LDAP ... ``` This still doesn't work for me. I'm not sure what else to try. [This change](https://github.com/apache/airflow/commit/48d4c5da19217174c8996b2882bb71f40381ae2c) seemed to make adjustments to the underlying FAB security system. However, I can't find any examples in the official documentation or elsewhere for *new* working LDAP examples. Thank you. ### Operating System Linux (Ubuntu) within container ### Versions of Apache Airflow Providers _No response_ ### Deployment Docker-Compose ### Deployment details docker-compose on Windows ### Anything else _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
