search

aws / amazon-mwaa-docker-images

Apache License 2.0
27 stars 11 forks source link

MWAA-specific `assumed-role/` prefix in Airflow usernames is not compatible with Airflow REST API #127

Open jaklan opened 3 months ago

jaklan commented 3 months ago

The issue is described in details here: https://github.com/apache/airflow/issues/39887

The most important parts are:

MWAA has announced that we can now use Airflow REST API. The goal is to use REST API Patch User to add/remove users' roles programmatically.

MWAA create username with a prefix of assumed-role/ for each user login. Example {username}: assumed-role/user1.

API Template URL: https://airflow.apache.org/auth/fab/v1/users/assumed_role/{username} Actual URL: https://airflow.apache.org/auth/fab/v1/users/assumed_role/assumed-role/user1

As we call the Airflow REST API https://airflow.apache.org/auth/fab/v1/users/assumed_role/assumed-role/user1 , it will show below error:

{
"detail": "The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.",
"status": 404,
"title": "Not Found",
"type": "about:blank"
}

and:

Hi @Taragolis , yes, I tried to pass in as assumed-role%2Fuser1 but it still parse as / in the url and produce the same error as above

As mentioned in the original issue by @uranusjr:

IIRC this is a restriction in WSGI and shared by many Python web frameworks, including Flask (backing Airflow) https://github.com/pallets/flask/issues/900

There’s probably no good way to resolve this from the webserver level.

That's why I think the simplest solution to mitigate this problem is to simply remove the slash from Airflow usernames and use any other character instead. Alternatively (and even more welcome) - allow the prefix to be configured.

jaklan commented 3 months ago

It won't be fix on the Airflow side: https://github.com/apache/airflow/issues/39887#issuecomment-2273106265 so we definitely need a fix in MWAA

mayushko26 commented 1 month ago

Thanks for raising this issue. I will look into this.

mayushko26 commented 3 weeks ago

The MWAA team has reviewed this issue, and is something we are taking actively steps to resolve, but cannot currently provide an ETA.

jaklan commented 3 weeks ago

@mayushko26 Thank you for the answer, great to hear! I understand you can't provide exact ETA, but is there at least any estimation like "~month", "~quarter", "~half a year", "~year"?

mayushko26 commented 3 weeks ago

Tentatively, a quarter. Please note this isn't a firm commitment. I will however make sure to update this thread if any significant changes come up.