MWAA-specific `assumed-role/` prefix in Airflow usernames is not compatible with Airflow REST API

[jaklan]

The issue is described in details here: https://github.com/apache/airflow/issues/39887

The most important parts are:

MWAA has announced that we can now use Airflow REST API. The goal is to use REST API Patch User to add/remove users' roles programmatically.

MWAA create username with a prefix of assumed-role/ for each user login. Example {username}: assumed-role/user1.

API Template URL: https://airflow.apache.org/auth/fab/v1/users/assumed_role/{username} Actual URL: https://airflow.apache.org/auth/fab/v1/users/assumed_role/assumed-role/user1

As we call the Airflow REST API https://airflow.apache.org/auth/fab/v1/users/assumed_role/assumed-role/user1 , it will show below error:

{
"detail": "The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.",
"status": 404,
"title": "Not Found",
"type": "about:blank"
}

and:

Hi @Taragolis , yes, I tried to pass in as assumed-role%2Fuser1 but it still parse as / in the url and produce the same error as above

As mentioned in the original issue by @uranusjr:

IIRC this is a restriction in WSGI and shared by many Python web frameworks, including Flask (backing Airflow) https://github.com/pallets/flask/issues/900

There’s probably no good way to resolve this from the webserver level.

That's why I think the simplest solution to mitigate this problem is to simply remove the slash from Airflow usernames and use any other character instead. Alternatively (and even more welcome) - allow the prefix to be configured.

[jaklan]

It won't be fix on the Airflow side: https://github.com/apache/airflow/issues/39887#issuecomment-2273106265 so we definitely need a fix in MWAA