vikrams12 opened a new issue, #64533:
URL: https://github.com/apache/airflow/issues/64533
### Apache Airflow version
3.1.8
### What happened and how to reproduce it?
I'm running Airflow instance using docker image (3.1.8). Below is a snippet
from my webserver_config.py
Since the roles are mapped to AD Groups (which is maintained external to
Airflow), I want the roles to be synced at every login / API request so that,
if a user has been recently added to a specific AD group, the user
automatically gets the required permissions.
This flow is working but intermittently, I get 403 - Forbidden errors when
trying to perform certain actions like Pause / Unpause a DAG even though the
logged in user is part of the AD group that has the required permissions on the
DAG.
Once I logout and re-login with the same user account, I'm able to perform
this action. This behavior is intermittent and whenever the forbidden error
happens, logout and re-login (sometimes couple of attempts) fixes the issue.
Same intermittent behavior observed on the Airflow REST API's as well.
`from flask_appbuilder.security.manager import AUTH_LDAP
import logging
import ldap
import os
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
# Enable authentication
AUTHENTICATE = True
AUTH_ROLE_PUBLIC = 'Viewer'
AUTH_TYPE = AUTH_LDAP
#AUTH_LDAP_**** section here
AUTH_ROLES_MAPPING = {
"CN=Admin,OU=Application,OU=Groups,OU=ITSC,DC=zone1,DC=xyz,DC=net": [
"Admin"
],
"CN=app-abc,OU=Application,OU=Groups,OU=ITSC,DC=zone1,DC=xyz,DC=net": [
"app_role___abc__"
],
"CN=app-def,OU=Application,OU=Groups,OU=ITSC,DC=zone1,DC=xyz,DC=net": [
"app_role___def__"
]
}
# User registration settings
AUTH_USER_REGISTRATION = True
AUTH_ROLES_SYNC_AT_LOGIN = True
AUTH_USER_REGISTRATION_ROLE = "Viewer"`
### What you think should happen instead?
There should be no forbidden error as long as the logged in user is memberOf
the AD group for which the required roles has already been assigned.
### Operating System
docker pull apache/airflow:3.1.8
### Versions of Apache Airflow Providers
apache-airflow-providers-amazon==9.22.0
apache-airflow-providers-celery==3.17.0
apache-airflow-providers-cncf-kubernetes==10.13.0
apache-airflow-providers-common-compat==1.14.0
apache-airflow-providers-common-io==1.7.1
apache-airflow-providers-common-messaging==2.0.2
apache-airflow-providers-common-sql==1.32.0
apache-airflow-providers-docker==4.5.2
apache-airflow-providers-elasticsearch==6.5.0
apache-airflow-providers-fab==3.4.0
apache-airflow-providers-ftp==3.14.1
apache-airflow-providers-git==0.2.4
apache-airflow-providers-google==20.0.0
apache-airflow-providers-grpc==3.9.2
apache-airflow-providers-hashicorp==4.5.0
apache-airflow-providers-http==6.0.0
apache-airflow-providers-microsoft-azure==13.0.0
apache-airflow-providers-mysql==6.5.0
apache-airflow-providers-odbc==4.12.0
apache-airflow-providers-openlineage==2.11.0
apache-airflow-providers-postgres==6.6.0
apache-airflow-providers-redis==4.4.2
apache-airflow-providers-sendgrid==4.2.1
apache-airflow-providers-sftp==5.7.0
apache-airflow-providers-slack==9.7.0
apache-airflow-providers-smtp==2.4.2
apache-airflow-providers-snowflake==6.10.0
apache-airflow-providers-ssh==4.3.1
apache-airflow-providers-standard==1.12.0
### Deployment
Official Apache Airflow Helm Chart
### Deployment details
We use the official Apache Airflow Helm chart and deployment target is our
own on-prem Kubernetes cluster
### Anything else?
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
