[GitHub] [airflow] BMFH opened a new issue, #28919: Airflow API kerberos authentication error

GitBox Fri, 13 Jan 2023 03:28:05 -0800


BMFH opened a new issue, #28919:
URL: https://github.com/apache/airflow/issues/28919


   ### Apache Airflow version
   
   2.5.0
   
   ### What happened
   
   Configured AUTH_DB authentication for web server and Kerberos authentication 
for API. Web server works well.
   Try to get any API endpoint and get an error 500. I see Kerberos 
authentication step is done, but authorization step fails.
   'User' object (now it is just a string) doesn't have such parameter.
   
   Request error
   ```
   янв 13 13:54:14 nginx-test airflow[238738]: [2023-01-13 13:54:14,923] 
{app.py:1741} ERROR - Exception on /api/v1/dags [GET]
   янв 13 13:54:14 nginx-test airflow[238738]: Traceback (most recent call 
last):
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2525, in wsgi_app
   янв 13 13:54:14 nginx-test airflow[238738]:     response = 
self.full_dispatch_request()
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1822, in 
full_dispatch_request
   янв 13 13:54:14 nginx-test airflow[238738]:     rv = 
self.handle_user_exception(e)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1820, in 
full_dispatch_request
   янв 13 13:54:14 nginx-test airflow[238738]:     rv = self.dispatch_request()
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1796, in 
dispatch_request
   янв 13 13:54:14 nginx-test airflow[238738]:     return 
self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/connexion/decorators/decorator.py", 
line 68, in wrapper
   янв 13 13:54:14 nginx-test airflow[238738]:     response = function(request)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/connexion/decorators/uri_parsing.py", 
line 149, in wrapper
   янв 13 13:54:14 nginx-test airflow[238738]:     response = function(request)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/connexion/decorators/validation.py", 
line 399, in wrapper
   янв 13 13:54:14 nginx-test airflow[238738]:     return function(request)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/connexion/decorators/response.py", line 
112, in wrapper
   янв 13 13:54:14 nginx-test airflow[238738]:     response = function(request)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/connexion/decorators/parameter.py", 
line 120, in wrapper
   янв 13 13:54:14 nginx-test airflow[238738]:     return function(**kwargs)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/airflow/api_connexion/security.py", 
line 50, in decorated
   янв 13 13:54:14 nginx-test airflow[238738]:     if 
appbuilder.sm.check_authorization(permissions, kwargs.get("dag_id")):
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/airflow/www/security.py", line 715, in 
check_authorization
   янв 13 13:54:14 nginx-test airflow[238738]:     can_access_all_dags = 
self.has_access(*perm)
   янв 13 13:54:14 nginx-test airflow[238738]:   File 
"/usr/local/lib/python3.8/dist-packages/airflow/www/security.py", line 419, in 
has_access
   янв 13 13:54:14 nginx-test airflow[238738]:     if (action_name, 
resource_name) in user.perms:
   янв 13 13:54:14 nginx-test airflow[238738]: AttributeError: 'str' object has 
no attribute 'perms'
   янв 13 13:54:14 nginx-test airflow[238738]: 127.0.0.1 - - 
[13/Jan/2023:13:54:14 +0300] "GET /api/v1/dags HTTP/1.1" 500 1561 "-" 
"curl/7.68.0"
   ```
   Starting airflow-webserver log (no errors) 
   ```
   янв 13 13:38:51 nginx-test airflow[238502]:   ____________       
_____________
   янв 13 13:38:51 nginx-test airflow[238502]:  ____    |__( )_________  __/__  
/________      __
   янв 13 13:38:51 nginx-test airflow[238502]: ____  /| |_  /__  ___/_  /_ __  
/_  __ \_ | /| / /
   янв 13 13:38:51 nginx-test airflow[238502]: ___  ___ |  / _  /   _  __/ _  / 
/ /_/ /_ |/ |/ /
   янв 13 13:38:51 nginx-test airflow[238502]:  _/_/  |_/_/  /_/    /_/    /_/  
\____/____/|__/
   янв 13 13:38:51 nginx-test airflow[238502]: Running the Gunicorn Server with:
   янв 13 13:38:51 nginx-test airflow[238502]: Workers: 4 sync
   янв 13 13:38:51 nginx-test airflow[238502]: Host: 0.0.0.0:10000
   янв 13 13:38:51 nginx-test airflow[238502]: Timeout: 120
   янв 13 13:38:51 nginx-test airflow[238502]: Logfiles: - -
   янв 13 13:38:51 nginx-test airflow[238502]: Access Logformat:
   янв 13 13:38:51 nginx-test airflow[238502]: 
=================================================================
   янв 13 13:38:51 nginx-test airflow[238502]: [2023-01-13 13:38:51,209] 
{webserver_command.py:431} INFO - Received signal: 15. Closing gunicorn.
   янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] 
[238519] [WARNING] Worker with pid 238525 was terminated due to signal 15
   янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] 
[238519] [WARNING] Worker with pid 238523 was terminated due to signal 15
   янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] 
[238519] [WARNING] Worker with pid 238526 was terminated due to signal 15
   янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] 
[238519] [WARNING] Worker with pid 238524 was terminated due to signal 15
   янв 13 13:38:51 nginx-test airflow[238519]: [2023-01-13 13:38:51 +0300] 
[238519] [INFO] Shutting down: Master
   янв 13 13:38:52 nginx-test systemd[1]: airflow-webserver.service: Succeeded.
   янв 13 13:38:52 nginx-test systemd[1]: Stopped Airflow webserver daemon.
   янв 13 13:38:52 nginx-test systemd[1]: Started Airflow webserver daemon.
   янв 13 13:38:54 nginx-test airflow[238732]: 
/usr/local/lib/python3.8/dist-packages/airflow/api/auth/backend/kerberos_auth.py:50
 DeprecationWarning: '_request_ctx_stack' is dep>
   янв 13 13:38:54 nginx-test airflow[238732]: [2023-01-13 13:38:54,393] 
{kerberos_auth.py:78} INFO - Kerberos: hostname nginx-test.corp.mycompany
   янв 13 13:38:54 nginx-test airflow[238732]: [2023-01-13 13:38:54,393] 
{kerberos_auth.py:88} INFO - Kerberos init: airflow nginx-test.corp.mycompany
   янв 13 13:38:54 nginx-test airflow[238732]: [2023-01-13 13:38:54,394] 
{kerberos_auth.py:93} INFO - Kerberos API: server is 
airflow/nginx-test.corp.mycompany@MYCOMPANY>
   янв 13 13:38:56 nginx-test airflow[238732]: [2023-01-13 13:38:56 +0300] 
[238732] [INFO] Starting gunicorn 20.1.0
   янв 13 13:38:56 nginx-test airflow[238732]: [2023-01-13 13:38:56 +0300] 
[238732] [INFO] Listening at: http://0.0.0.0:10000 (238732)
   янв 13 13:38:56 nginx-test airflow[238732]: [2023-01-13 13:38:56 +0300] 
[238732] [INFO] Using worker: sync
   янв 13 13:38:56 nginx-test airflow[238735]: [2023-01-13 13:38:56 +0300] 
[238735] [INFO] Booting worker with pid: 238735
   янв 13 13:38:57 nginx-test airflow[238736]: [2023-01-13 13:38:57 +0300] 
[238736] [INFO] Booting worker with pid: 238736
   янв 13 13:38:57 nginx-test airflow[238737]: [2023-01-13 13:38:57 +0300] 
[238737] [INFO] Booting worker with pid: 238737
   янв 13 13:38:57 nginx-test airflow[238738]: [2023-01-13 13:38:57 +0300] 
[238738] [INFO] Booting worker with pid: 238738
   ```
   
   I tried to skip rights check, commenting problem lines and returning True 
from has_access function and if I remember it right in one more function from 
security.py. And I got it working. But it has been just a hack to check where 
is the problem. 
   
   ### What you think should happen instead
   
   It should return right json answer with code 200.
   
   ### How to reproduce
   
   1. webserver_config.py: default
   
   2. airflow.cfg changed lines:
   
   ```
   [core]
   security = kerberos
   [api]
   auth_backends = 
airflow.api.auth.backend.kerberos_auth,airflow.api.auth.backend.session
   
   [kerberos]
   ccache = /tmp/airflow_krb5_ccache
   principal = airflow/nginx-test.mycompany
   reinit_frequency = 3600
   kinit_path = kinit
   keytab = /root/airflow/airflow2.keytab
   forwardable = True
   include_ip = True
   
   [webserver]
   base_url = http://localhost:10000
   web_server_port = 10000
   ```
   
   3. Create keytab file with airflow principal
   
   4. Log in as domain user, make request (for example):
   curl --verbose --negotiate -u : http://nginx-test.mycompany:10000/api/v1/dags
   
   
   ### Operating System
   
   Ubuntu. VERSION="20.04.5 LTS (Focal Fossa)"
   
   ### Versions of Apache Airflow Providers
   
   _No response_
   
   ### Deployment
   
   Virtualenv installation
   
   ### Deployment details
   
   _No response_
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [airflow] BMFH opened a new issue, #28919: Airflow API kerberos authentication error

Reply via email to