5

I'm trying to trigger a new dag run via Airflow 2.0 REST API. If I am logged in to the Airflow webserver on the remote machine and I go to the swagger documentation page to test the API, the call is successful. If I log out or if the API call is sent through Postman or curl, then I get a 403 forbidden message. The same 403 error message is received in curl or postman whether I provide the web server username password or not.

curl -X POST --user "admin:blabla" "http://10.0.0.3:7863/api/v1/dags/tutorial_taskflow_api_etl/dagRuns" -H  "accept: application/json" -H  "Content-Type: application/json" -d "{\"conf\":{},\"dag_run_id\":\"string5\"}"
{
  "detail": null,
  "status": 403,
  "title": "Forbidden",
  "type": "https://airflow.apache.org/docs/2.0.0/stable-rest-api-ref.html#section/Errors/PermissionDenied"
}

The security for API has been changed to default, instead of deny_all (auth_backend = airflow.api.auth.backend.default). The installation of airflow has been done using pip using ubuntu 18 bionic. Dags are running fine if triggered manually or scheduled. The database backend is postgres.

Also tried copying the cookie details from Chrome into postman to get past this issue, but it did not work.

Here is the log on the web server for the two calls mentioned above.

airflowWebserver_container | 10.0.0.4 - - [05/Jan/2021:06:35:33 +0000] "POST /api/v1/dags/tutorial_taskflow_api_etl/dagRuns HTTP/1.1" 403 170 "http://10.0.0.3:7863/api/v1/ui/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
airflowWebserver_container | 10.0.0.4 - - [05/Jan/2021:06:35:07 +0000] "POST /api/v1/dags/tutorial_taskflow_api_etl/dagRuns HTTP/1.1" 409 251 "http://10.0.0.3:7863/api/v1/ui/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
Amit Singh
  • 2,875
  • 14
  • 30
Adeel Hashmi
  • 767
  • 1
  • 8
  • 20
  • If I go by how this has been said in the docs, `default` only works with experimental API. https://airflow.apache.org/docs/apache-airflow/stable/security/api.html#disable-authentication And you are trying to access the stable API, hence the 403. – Amit Singh Jan 05 '21 at 08:15
  • Thanks, @AmitSingh. I tried switching the experimental API on and then tested the API call. Still no difference. – Adeel Hashmi Jan 05 '21 at 09:22

4 Answers4

9

I am using basic_auth for Airflow v2.0. The AIRFLOW__API__AUTH_BACKEND environment variable should be set to airflow.api.auth.backend.basic_auth. You will have to restart the webserver container. Then you should be able to access all stable APIs using the cURL commands with --user option.

Shashank Khasare
  • 106
  • 3
2

In Airflow 2.0, There seems to be some bug.

If you set this auth configuration in airflow.cfg, it doesn't work.

auth_backend = airflow.api.auth.backend.basic_auth

But setting this as an environment variable works

AIRFLOW__API__AUTH_BACKEND: "airflow.api.auth.backend.basic_auth"

Kishore Bandi
  • 5,537
  • 2
  • 31
  • 52
1

Maybe also good to know:

You can only disable authentication for experimental API, not the stable REST API.

See: https://airflow.apache.org/docs/apache-airflow/stable/security/api.html#disable-authentication

Paul Bormans
  • 1,292
  • 16
  • 22
0

@AmitSingh was correct. Setting security to default only works with the experimental api. I changed the relevant configuration in airflow, restarted and added 'experimental' in the api path. Please see https://airflow.apache.org/docs/apache-airflow/stable/rest-api-ref.html

Adeel Hashmi
  • 767
  • 1
  • 8
  • 20