BMFH opened a new issue, #28919: URL: https://github.com/apache/airflow/issues/28919
### Apache Airflow version 2.5.0 ### What happened Configured AUTH_DB authentication for web server and Kerberos authentication for API. Web server works well. Try to get any API endpoint and get an error 500. I see Kerberos authentication step is done, but authorization step fails. 'User' object (now it is just a string) doesn't have such parameter. Request error ``` янв 13 13:54:14 nginx-test airflow[238738]: [2023-01-13 13:54:14,923] {app.py:1741} ERROR - Exception on /api/v1/dags [GET] янв 13 13:54:14 nginx-test airflow[238738]: Traceback (most recent call last): янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2525, in wsgi_app янв 13 13:54:14 nginx-test airflow[238738]: response = self.full_dispatch_request() янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1822, in full_dispatch_request янв 13 13:54:14 nginx-test airflow[238738]: rv = self.handle_user_exception(e) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1820, in full_dispatch_request янв 13 13:54:14 nginx-test airflow[238738]: rv = self.dispatch_request() янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1796, in dispatch_request янв 13 13:54:14 nginx-test airflow[238738]: return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/connexion/decorators/decorator.py", line 68, in wrapper янв 13 13:54:14 nginx-test airflow[238738]: response = function(request) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/connexion/decorators/uri_parsing.py", line 149, in wrapper янв 13 13:54:14 nginx-test airflow[238738]: response = function(request) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/connexion/decorators/validation.py", line 399, in wrapper янв 13 13:54:14 nginx-test airflow[238738]: return function(request) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/connexion/decorators/response.py", line 112, in wrapper янв 13 13:54:14 nginx-test airflow[238738]: response = function(request) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/connexion/decorators/parameter.py", line 120, in wrapper янв 13 13:54:14 nginx-test airflow[238738]: return function(**kwargs) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/airflow/api_connexion/security.py", line 50, in decorated янв 13 13:54:14 nginx-test airflow[238738]: if appbuilder.sm.check_authorization(permissions, kwargs.get("dag_id")): янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/airflow/www/security.py", line 715, in check_authorization янв 13 13:54:14 nginx-test airflow[238738]: can_access_all_dags = self.has_access(*perm) янв 13 13:54:14 nginx-test airflow[238738]: File "/usr/local/lib/python3.8/dist-packages/airflow/www/security.py", line 419, in has_access янв 13 13:54:14 nginx-test airflow[238738]: if (action_name, resource_name) in user.perms: янв 13 13:54:14 nginx-test airflow[238738]: AttributeError: 'str' object has no attribute 'perms' янв 13 13:54:14 nginx-test airflow[238738]: 127.0.0.1 - - [13/Jan/2023:13:54:14 +0300] "GET /api/v1/dags HTTP/1.1" 500 1561 "-" "curl/7.68.0" ``` Starting airflow-webserver log (no errors) ``` янв 13 13:38:51 nginx-test airflow[238502]: ____________ _____________ янв 13 13:38:51 nginx-test airflow[238502]: ____ |__( )_________ __/__ /________ __ янв 13 13:38:51 nginx-test airflow[238502]: ____ /| |_ /__ ___/_ /_ __ /_ __ \_ | /| / / янв 13 13:38:51 nginx-test airflow[238502]: ___ ___ | / _ / _ __/ _ / / /_/ /_ |/ |/ / янв 13 13:38:51 nginx-test airflow[238502]: _/_/ |_/_/ /_/ /_/ /_/ \____/____/|__/ янв 13 13:38:51 nginx-test airflow[238502]: Running the Gunicorn Server with: янв 13 13:38:51 nginx-test airflow[238502]: Workers: 4 sync янв 13 13:38:51 nginx-test airflow[238502]: Host: 0.0.0.0:10000 янв 13 13:38:51 nginx-test airflow[238502]: Timeout: 120 янв 13 13:38:51 nginx-test airflow[238502]: Logfiles: - - янв 13 13:38:51 nginx-test airflow[238502]: Access Logformat: янв 13 13:38:51 nginx-test airflow[238502]: ================================================================= янв 13 13:38:51 nginx-test airflow[238502]: [2023-01-13 13:38:51,209] {webserver_command.py:431} INFO - Received signal: 15. Closing gunicorn. янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] [238519] [WARNING] Worker with pid 238525 was terminated due to signal 15 янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] [238519] [WARNING] Worker with pid 238523 was terminated due to signal 15 янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] [238519] [WARNING] Worker with pid 238526 was terminated due to signal 15 янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] [238519] [WARNING] Worker with pid 238524 was terminated due to signal 15 янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] [238519] [INFO] Shutting down: Master янв 13 13:38:52 nginx-test systemd[1]: airflow-webserver.service: Succeeded. янв 13 13:38:52 nginx-test systemd[1]: Stopped Airflow webserver daemon. янв 13 13:38:52 nginx-test systemd[1]: Started Airflow webserver daemon. янв 13 13:38:54 nginx-test airflow[238732]: /usr/local/lib/python3.8/dist-packages/airflow/api/auth/backend/kerberos_auth.py:50 DeprecationWarning: '_request_ctx_stack' is dep> янв 13 13:38:54 nginx-test airflow[238732]: [2023-01-13 13:38:54,393] {kerberos_auth.py:78} INFO - Kerberos: hostname nginx-test.corp.mycompany янв 13 13:38:54 nginx-test airflow[238732]: [2023-01-13 13:38:54,393] {kerberos_auth.py:88} INFO - Kerberos init: airflow nginx-test.corp.mycompany янв 13 13:38:54 nginx-test airflow[238732]: [2023-01-13 13:38:54,394] {kerberos_auth.py:93} INFO - Kerberos API: server is airflow/nginx-test.corp.mycompany@MYCOMPANY> янв 13 13:38:56 nginx-test airflow[238732]: [2023-01-13 13:38:56 +0300] [238732] [INFO] Starting gunicorn 20.1.0 янв 13 13:38:56 nginx-test airflow[238732]: [2023-01-13 13:38:56 +0300] [238732] [INFO] Listening at: http://0.0.0.0:10000 (238732) янв 13 13:38:56 nginx-test airflow[238732]: [2023-01-13 13:38:56 +0300] [238732] [INFO] Using worker: sync янв 13 13:38:56 nginx-test airflow[238735]: [2023-01-13 13:38:56 +0300] [238735] [INFO] Booting worker with pid: 238735 янв 13 13:38:57 nginx-test airflow[238736]: [2023-01-13 13:38:57 +0300] [238736] [INFO] Booting worker with pid: 238736 янв 13 13:38:57 nginx-test airflow[238737]: [2023-01-13 13:38:57 +0300] [238737] [INFO] Booting worker with pid: 238737 янв 13 13:38:57 nginx-test airflow[238738]: [2023-01-13 13:38:57 +0300] [238738] [INFO] Booting worker with pid: 238738 ``` I tried to skip rights check, commenting problem lines and returning True from has_access function and if I remember it right in one more function from security.py. And I got it working. But it has been just a hack to check where is the problem. ### What you think should happen instead It should return right json answer with code 200. ### How to reproduce 1. webserver_config.py: default 2. airflow.cfg changed lines: ``` [core] security = kerberos [api] auth_backends = airflow.api.auth.backend.kerberos_auth,airflow.api.auth.backend.session [kerberos] ccache = /tmp/airflow_krb5_ccache principal = airflow/nginx-test.mycompany reinit_frequency = 3600 kinit_path = kinit keytab = /root/airflow/airflow2.keytab forwardable = True include_ip = True [webserver] base_url = http://localhost:10000 web_server_port = 10000 ``` 3. Create keytab file with airflow principal 4. Log in as domain user, make request (for example): curl --verbose --negotiate -u : http://nginx-test.mycompany:10000/api/v1/dags ### Operating System Ubuntu. VERSION="20.04.5 LTS (Focal Fossa)" ### Versions of Apache Airflow Providers _No response_ ### Deployment Virtualenv installation ### Deployment details _No response_ ### Anything else _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org