search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
35.21k stars 13.76k forks source link

Webserver logs not showing failed login attempts #40168

Open ooehlers opened 2 weeks ago

ooehlers commented 2 weeks ago

Apache Airflow version

2.9.2

If "Other Airflow 2 version" selected, which one?

No response

What happened?

When webserver logs are enabled they do not show failed login attempts. In the docker logs a message does flash by with the failed login attempt, but it does not get logged in the webserver log file.

What you think should happen instead?

Ideally within the webserver log file a HTTP response 401 gets logged that can be used with fail2ban

How to reproduce

In the configuration set an access_logfile under [webserver] try to login to the Web UI with invalid credentials. Take a look at the docker logs for the webserver and compare with the webserver log file. The line where the login fails is not in the webserver log file.

Operating System

Ubuntu 22.04

Versions of Apache Airflow Providers

No response

Deployment

Docker-Compose

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

Code of Conduct

boring-cyborg[bot] commented 2 weeks ago

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

tirkarthi commented 2 weeks ago

Related gunicorn issue https://github.com/benoitc/gunicorn/issues/1124 . gunicorn related logs only logs messages from gunicorn itself. The log message you are seeing comes from one of the files in fab provider and probably the relevant handler "gunicorn.error" needs to be added to the logger like below but I guess there should be a way to do it via config.

diff --git a/airflow/providers/fab/auth_manager/security_manager/override.py b/airflow/providers/fab/auth_manager/security_manager/override.py
index e617b8e846..28084adbfc 100644
--- a/airflow/providers/fab/auth_manager/security_manager/override.py
+++ b/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -113,6 +113,7 @@ if TYPE_CHECKING:
     from airflow.auth.managers.base_auth_manager import ResourceMethod

 log = logging.getLogger(__name__)
+log.handlers.extend(logging.getLogger("gunicorn.error").handlers)
ooehlers commented 2 weeks ago

Thanks for the reply. ...So that does add the error line in the webserver log file as-is, but not quite in the same format as gunicorn does it, like: host - [datetime] - HTTP method - HTTP Response ...etc... Would doing that require a custom logging class or middleware or something ?