(airflow) branch main updated: Fix remote user authentication in Fab auth manager (#57775)

[vincbeck]

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 451f1dfa816 Fix remote user authentication in Fab auth manager (#57775)
451f1dfa816 is described below

commit 451f1dfa81684736a96397062a0d78f862d11224
Author: Vincent <97131062+vincb...@users.noreply.github.com>
AuthorDate: Tue Nov 4 11:05:13 2025 -0500

    Fix remote user authentication in Fab auth manager (#57775)
---
 .../fab/auth_manager/security_manager/override.py  | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git 
a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
 
b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
index 6b135ca539a..4b4c2576b49 100644
--- 
a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
+++ 
b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -733,6 +733,10 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         """The JMESPATH role to use for user registration."""
         return current_app.config["AUTH_USER_REGISTRATION_ROLE_JMESPATH"]
 
+    @property
+    def auth_remote_user_env_var(self) -> str:
+        return current_app.config["AUTH_REMOTE_USER_ENV_VAR"]
+
     @property
     def auth_username_ci(self):
         """Get the auth username for CI."""
@@ -2210,6 +2214,36 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
         # decode - if empty string, default to fallback, otherwise take first 
element
         return raw_value[0].decode("utf-8") or fallback
 
+    def auth_user_remote_user(self, username):
+        """
+        REMOTE_USER user Authentication.
+
+        :param username: user's username for remote auth
+        """
+        user = self.find_user(username=username)
+
+        # User does not exist, create one if auto user registration.
+        if user is None and self.auth_user_registration:
+            user = self.add_user(
+                # All we have is REMOTE_USER, so we set
+                # the other fields to blank.
+                username=username,
+                first_name=username,
+                last_name="-",
+                email=username + "@email.notfound",
+                role=self.find_role(self.auth_user_registration_role),
+            )
+
+        # If user does not exist on the DB and not auto user registration,
+        # or user is inactive, go away.
+        elif user is None or (not user.is_active):
+            log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)
+            return None
+
+        self._rotate_session_id()
+        self.update_user_auth_stat(user)
+        return user
+
     """
     ---------------
     Private methods