[PR] fix: invalidate cached user permissions after LDAP role sync to prevent intermittent 403s [airflow]

Tue, 31 Mar 2026 07:27:38 -0700 


Pranaykarvi opened a new pull request, #64539:
URL: https://github.com/apache/airflow/pull/64539

   Fixes #64533
   
   ## Problem
   
   When `AUTH_LDAP` is used with `AUTH_ROLES_SYNC_AT_LOGIN=True` and
   `AUTH_USER_REGISTRATION=True`, users intermittently receive `403 Forbidden`
   errors even though they have the correct AD group membership and role 
mappings.
   Logging out and back in (sometimes multiple attempts) resolves the issue.
   
   This affects both the Airflow UI and REST API.
   
   ## Root Cause
   
   After `AUTH_ROLES_SYNC_AT_LOGIN` triggers a role sync on login, the
   in-memory user object retains a stale cached permissions set (`_perms`).
   Any authorization check that runs immediately after login — before the
   cached permissions are rebuilt — uses the old (possibly empty or incomplete)
   permission set, resulting in a spurious 403.
   
   Since UI login and REST API basic auth both go through `auth_user_ldap`
   (confirmed in `basic_auth.py` and `fab_auth_manager.py`), both surfaces
   are affected.
   
   ## Fix
   
   - Invalidate the `_perms` cache on the user object immediately after
     `AUTH_ROLES_SYNC_AT_LOGIN` syncs roles, so the next permission check
     rebuilds from the freshly committed DB state.
   - Invalidate `_perms` inside `update_user()` after the DB commit, as a
     general safeguard for any user update path.
   - Refresh the authenticated LDAP user object before returning from
     `auth_user_ldap`, ensuring the returned user reflects the latest role 
state.
   
   ## Files Changed
   
   | File | Change |
   |------|--------|
   | 
`providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py`
 | Cache invalidation after role sync and user update |
   | 
`providers/fab/tests/unit/fab/auth_manager/security_manager/test_override.py` | 
Regression test: `test_update_user_clears_cached_permissions` |
   
   ## Testing
   
   - Added regression test covering: user updated → `_perms` cache cleared →
     immediate permission check uses fresh roles.
   - Ran `ruff format` and `ruff check --fix` on all modified files — clean.
   - Manual verification: intermittent 403 no longer reproducible after fix
     with `AUTH_ROLES_SYNC_AT_LOGIN=True`.
   
   ## Checklist
   
   - [x] My change has a meaningful commit message
   - [x] I have added tests that prove my fix is effective
   - [x] My code follows the project's code style (ruff passing)
   - [x] I have linked the related issue (`#64533`)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to