Fix race condition in auth manager initialization#62431
Merged
vincbeck merged 3 commits intoapache:mainfrom Mar 5, 2026
Merged
Fix race condition in auth manager initialization#62431vincbeck merged 3 commits intoapache:mainfrom
vincbeck merged 3 commits intoapache:mainfrom
Conversation
kimyoungi99
requested review from
bugraoz93,
choo121600,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar,
shubhamraj-git and
vincbeck
as code owners
boring-cyborg
bot
added
area:API
kimyoungi99
force-pushed
the
fix/thread-safe-auth-manager-init-v2
branch
from
f25b370 to
82796cd
Compare
vincbeck
approved these changes
Feb 25, 2026
eladkal
added
area:core
backport-to-v3-1-test
jason810496
reviewed
Feb 26, 2026
Member
jason810496
left a comment
jason810496
left a comment
There was a problem hiding this comment.
Hi @kimyoungi99, thanks for raising the PR again!
Would you mind starting Airflow locally to verify the system behavior, in case the situation described in #62404 happens again?
If you haven’t installed Breeze yet, you can run: uv tool install -e ./dev/breeze --force
Then run: breeze start-airflow --mount-sources providers-and-tests --auth-manager FabAuthManager to verify that the updated FabAuthManager and FastAPI app work as expected.
Thanks!
kimyoungi99
force-pushed
the
fix/thread-safe-auth-manager-init-v2
branch
from
f9e3584 to
9d0d69a
Compare
Contributor
Author
|
Hi @jason810496, thanks for the suggestion! I ran Sequential requests — all working correctly:
Concurrent requests — while testing concurrent FAB + Core requests, I discovered an additional race condition in Added a new commit ( |
kimyoungi99
force-pushed
the
fix/thread-safe-auth-manager-init-v2
branch
3 times, most recently
from
2f82360 to
ad1324f
Compare
pierrejeambrun
approved these changes
Mar 4, 2026
Member
|
Do you mind fixing the conflicts so we can merge this? |
kimyoungi99
force-pushed
the
fix/thread-safe-auth-manager-init-v2
branch
2 times, most recently
from
b06b296 to
f5ebf74
Compare
…races FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized.
kimyoungi99
force-pushed
the
fix/thread-safe-auth-manager-init-v2
branch
from
4ef53ea to
52779d8
Compare
Member
|
The ci failure doesn’t seem to be related to your changes, so I’ll rerun it 🙂 |
Contributor
|
Unrelated indeed, merging |
Backport failed to create: v3-1-test. View the failure log Run detailsNote: As of Merging PRs targeted for Airflow 3.X In matter of doubt please ask in #release-management Slack channel.
You can attempt to backport this manually by running: cherry_picker 281cdab v3-1-testThis should apply the commit to the v3-1-test branch and leave the commit in conflict state marking After you have resolved the conflicts, you can continue the backport process by running: cherry_picker --continueIf you don't have cherry-picker installed, see the installation guide. |
1Ninad
pushed a commit
to 1Ninad/airflow
that referenced
this pull request
Mar 6, 2026
FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized.
Member
|
@vincbeck probably needs a manual backport in case you have bandwidth to do that. |
Contributor
Sure! |
vincbeck
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
Mar 6, 2026
FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized.
This was referenced Mar 6, 2026
Contributor
vincbeck
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
Mar 9, 2026
FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized.
vincbeck
added a commit
that referenced
this pull request
Mar 9, 2026
FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized. Co-authored-by: Young-Ki Kim <kimyoungi99@naver.com>
vatsrahul1001
pushed a commit
that referenced
this pull request
Mar 10, 2026
FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized. Co-authored-by: Young-Ki Kim <kimyoungi99@naver.com>
pierrejeambrun
added a commit
that referenced
this pull request
Mar 10, 2026
* fix: Unhandled Exception in remote logging if connection doesn't exist(#59801) (#62979) Cherry-picked from 3428dc9 with conflict resolution: - context.py: Added `import inspect` (skip `import functools` as `from functools import cache` already exists) - supervisor.py: Adopted early-return pattern and explicit `del` for GC, kept simpler env var handling (no `_AIRFLOW_PROCESS_CONTEXT` which doesn't exist in v3-1-test) - test_supervisor.py: Replaced `@pytest.mark.xfail` workaround with proper `use_real_secrets_backends` fixture Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * CI: Upgrade important CI environment (#62981) * chore(deps-dev): bump the core-ui-package-updates group across 1 directory with 3 updates (#62968) Bumps the core-ui-package-updates group with 1 update in the /airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui directory: [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin). Updates `@typescript-eslint/eslint-plugin` from 8.50.0 to 8.56.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.50.0 to 8.56.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/parser) Updates `ts-morph` from 23.0.0 to 27.0.2 - [Release notes](https://github.com/dsherret/ts-morph/releases) - [Commits](dsherret/ts-morph@23.0.0...27.0.2) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.56.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: core-ui-package-updates - dependency-name: "@typescript-eslint/parser" dependency-version: 8.56.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: core-ui-package-updates - dependency-name: ts-morph dependency-version: 27.0.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: core-ui-package-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] fix: gracefully handle 404 from worker log server for historical retry attempts (#62475) (#63000) * fix: gracefully handle 404 from worker log server for historical retry attempts (cherry picked from commit 25e9284) Co-authored-by: Pradeep Kalluri <128097794+kalluripradeep@users.noreply.github.com> * [v3-1-test] Remove issue_number option from newsfragment guidance in PR template (#63006) (#63012) The CI workflow added in #62975 validates that newsfragment filenames use the PR number, so allowing issue numbers would cause false CI failures. Align the PR template with the contributing docs and the new validation. (cherry picked from commit 41969f4) Co-authored-by: Xiaodong DENG <xddeng@apache.org> * [v3-1-test] CI: Upgrade important CI environment (#62989) (#63005) * [v3-1-test] CI: Upgrade important CI environment (#62989) (cherry picked from commit 60b52b7) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> * Fix rebase --------- Co-authored-by: Jarek Potiuk <jarek@potiuk.com> * [v3-1-test] Align integration LocalStack docker-compose with e2e LocalStack config (#62980) (#62993) (cherry picked from commit 6722c4b) Co-authored-by: Jason(Zhe-You) Liu <68415893+jason810496@users.noreply.github.com> * [v3-1-test] Fallback to no constraint builds for docker-context-files installation (#63051) (#63057) When building PROD from docker-context-files - i.e. when we run main build with providers built from sources, we should fall back to no constraints build when there is a conflict with constraints. This is a follow up after #62378 (cherry picked from commit fef2e62) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> * Fill Turkish Translation Gap in v3-1-test (#63010) * Remove global from FastAPI app.py (#59772) (#62997) * Remove global from FastAPI app.py * Remove global from FastAPI app.py Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com> * chore(deps): bump actions/setup-java from 4.7.1 to 5.2.0 (#63102) Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4.7.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@c5195ef...be666c2) --- updated-dependencies: - dependency-name: actions/setup-java dependency-version: 5.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/stale from 9.1.0 to 10.2.0 (#63099) Bumps [actions/stale](https://github.com/actions/stale) from 9.1.0 to 10.2.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@5bef64f...b5d41d4) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.2.2 to 6.0.2 (#63096) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0 (#63098) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 (#63090) Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 8.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@60a0d83...ed59741) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] Split npm dependabot minor+patch and major version PRs (#62889) (#63007) * Ignore major npm dependabot upgrades * Move major versions to different group (cherry picked from commit a2e3613) Co-authored-by: Brent Bovenzi <brent@astronomer.io> * chore(deps): bump the core-ui-package-updates group across 1 directory with 2 updates (#63069) Bumps the core-ui-package-updates group with 2 updates in the /airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui directory: [@chakra-ui/react](https://github.com/chakra-ui/chakra-ui/tree/HEAD/packages/react) and [happy-dom](https://github.com/capricorn86/happy-dom). Updates `@chakra-ui/react` from 3.33.0 to 3.34.0 - [Release notes](https://github.com/chakra-ui/chakra-ui/releases) - [Changelog](https://github.com/chakra-ui/chakra-ui/blob/main/packages/react/CHANGELOG.md) - [Commits](https://github.com/chakra-ui/chakra-ui/commits/@chakra-ui/react@3.34.0/packages/react) Updates `happy-dom` from 20.7.0 to 20.8.3 - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](capricorn86/happy-dom@v20.7.0...v20.8.3) --- updated-dependencies: - dependency-name: "@chakra-ui/react" dependency-version: 3.34.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: core-ui-package-updates - dependency-name: happy-dom dependency-version: 20.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: core-ui-package-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/upload-artifact from 4.6.2 to 7.0.0 (#63128) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/setup-go from 5.5.0 to 6.3.0 (#63124) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4b73464) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump aws-actions/configure-aws-credentials (#63123) Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4.0.1 to 6.0.0. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](aws-actions/configure-aws-credentials@010d0da...8df5847) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/setup-node from 4.4.0 to 6.3.0 (#63119) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@49933ea...53b8394) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] chore(deps): bump actions/setup-go from 5.5.0 to 6.3.0 (#63133) (#63138) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4b73464) (cherry picked from commit 274c2b0) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] chore(deps): bump actions/download-artifact from 4.3.0 to 8.0.0 (#63065) (#63145) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...70fc10c) (cherry picked from commit 2f4646c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the github-actions-updates group with 2 updates (#63157) Bumps the github-actions-updates group with 2 updates: [pnpm/action-setup](https://github.com/pnpm/action-setup) and [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action). Updates `pnpm/action-setup` from 4.0.0 to 4.2.0 - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@fe02b34...41ff726) Updates `slackapi/slack-github-action` from 2.0.0 to 2.1.1 - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Commits](slackapi/slack-github-action@485a9d4...91efab1) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-updates - dependency-name: slackapi/slack-github-action dependency-version: 2.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] perf: use load_only() in get_dag_runs eager loading to reduce data fetched per task instance (#62482) (#62996) * perf: use load_only() in eager_load_dag_run_for_validation to reduce data fetched The get_dag_runs API endpoint was slow on large deployments because eager_load_dag_run_for_validation() used selectinload on task_instances and task_instances_histories without restricting which columns were fetched. This caused SQLAlchemy to load all heavyweight columns (executor_config with pickled data, hostname, rendered fields, etc.) for every task instance across every DAG run in the result page — even though only dag_version_id is needed to traverse the association proxy to DagVersion. Add load_only(TaskInstance.dag_version_id) and load_only(TaskInstanceHistory.dag_version_id) to the selectinload chains so the SELECT for task instances fetches only the identity columns and the FK needed to resolve the dag_version relationship, significantly reducing the volume of data transferred from the database on busy deployments. Fixes #62025 * Fix static checks --------- (cherry picked from commit 13af96b) Co-authored-by: Lakshmi Sravya <38032391+LakshmiSravyaVedantham@users.noreply.github.com> Co-authored-by: pierrejeambrun <pierrejbrun@gmail.com> * perf(api): optimize /ui/dags endpoint serialization (#61483) (#63001) This PR addresses a significant performance issue in the /ui/dags endpoint where page load times scaled poorly with the number of DAGs (12-16 seconds for just 25 DAGs in our testing). Two optimizations are implemented: 1. Cache URLSafeSerializer for file_token generation - Previously, a new URLSafeSerializer was instantiated and conf.get_mandatory_value() was called for every DAG - Now uses @lru_cache to create the serializer once and reuse it 2. Eliminate redundant Pydantic validation in response construction - The original pattern used model_validate -> model_dump -> model_validate which caused triple serialization overhead per DAG - Now validates once with DAGResponse.model_validate(), then uses model_construct() to build DAGWithLatestDagRunsResponse Together, these changes reduced page load time from 12-16 seconds to ~130ms in our dev environment. (cherry picked from commit a915216) Co-authored-by: john-rodriguez-mgni <107643943+john-rodriguez-mgni@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com> * [v3-1-test] Bump astroid>=4 (#63170) (#63174) (cherry picked from commit 0a985ea) Co-authored-by: Elad Kalif <45845474+eladkal@users.noreply.github.com> * chore(deps): bump the core-ui-package-updates group across 1 directory with 2 updates (#63153) Bumps the core-ui-package-updates group with 1 update in the /airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui directory: [@chakra-ui/react](https://github.com/chakra-ui/chakra-ui/tree/HEAD/packages/react). Updates `@chakra-ui/react` from 3.33.0 to 3.34.0 - [Release notes](https://github.com/chakra-ui/chakra-ui/releases) - [Changelog](https://github.com/chakra-ui/chakra-ui/blob/main/packages/react/CHANGELOG.md) - [Commits](https://github.com/chakra-ui/chakra-ui/commits/@chakra-ui/react@3.34.0/packages/react) Updates `happy-dom` from 20.7.0 to 20.8.3 - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](capricorn86/happy-dom@v20.7.0...v20.8.3) --- updated-dependencies: - dependency-name: "@chakra-ui/react" dependency-version: 3.34.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: core-ui-package-updates - dependency-name: happy-dom dependency-version: 20.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: core-ui-package-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] Further limit setuptools after 82.0.1 is released (until redoc fixes it) (#63202) (#63203) (cherry picked from commit b528e50) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> * Fix race condition in auth manager initialization (#62431) (#62995) FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized. Co-authored-by: Young-Ki Kim <kimyoungi99@naver.com> * chore(deps): bump github/codeql-action (#63223) Bumps the github-actions-updates group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.29.0 to 4.32.6 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ce28f5b...0d579ff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [v3-1-test] Clarify docs on max_active_tasks parameter on a Dag (#63217) (#63228) (cherry picked from commit 9ae1875) Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com> * [v3-1-test] Fix undefined variable in install_from_external_spec error message (#63233) (#63237) The error message in install_from_external_spec() referenced ${INSTALLATION_METHOD} which does not exist — the correct variable is ${AIRFLOW_INSTALLATION_METHOD}. With set -u active, hitting this error path would crash with an "unbound variable" error instead of printing the intended user-friendly message. The typo was introduced in a1717a6 and carried forward into the inlined copies in both Dockerfiles. (cherry picked from commit 2ab6f94) Co-authored-by: Xiaodong DENG <xddeng@apache.org> * Fix grid view URL for dynamic task groups (#63205) Dynamic task groups with isMapped=true were getting /mapped appended to their URL in the grid view, producing URLs like /tasks/group/{groupId}/mapped which has no matching route (404). The graph view correctly handles this by not appending /mapped for groups. This fix adds the same guard to buildTaskInstanceUrl. closes: #63197 (cherry picked from commit 7bc23ef) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Dev-iL <6509619+Dev-iL@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Wei Lee <weilee.rx@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Pradeep Kalluri <128097794+kalluripradeep@users.noreply.github.com> Co-authored-by: Xiaodong DENG <xddeng@apache.org> Co-authored-by: Bugra Ozturk <bugraoz93@users.noreply.github.com> Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Co-authored-by: Jason(Zhe-You) Liu <68415893+jason810496@users.noreply.github.com> Co-authored-by: Vincent <97131062+vincbeck@users.noreply.github.com> Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com> Co-authored-by: Brent Bovenzi <brent@astronomer.io> Co-authored-by: Lakshmi Sravya <38032391+LakshmiSravyaVedantham@users.noreply.github.com> Co-authored-by: john-rodriguez-mgni <107643943+john-rodriguez-mgni@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Elad Kalif <45845474+eladkal@users.noreply.github.com> Co-authored-by: Young-Ki Kim <kimyoungi99@naver.com> Co-authored-by: Subham <subhamsangwan26@gmail.com>
81 tasks
dominikhei
pushed a commit
to dominikhei/airflow
that referenced
this pull request
Mar 11, 2026
FAB FastAPI routes call get_application_builder() on every request, which creates a new Flask app and invokes init_app(). Concurrent calls race on the singleton auth_manager's appbuilder and security_manager, causing KeyError: 'AUTH_USER_REGISTRATION' and AttributeError. Add _init_app_lock around the critical section in init_app() that mutates the singleton auth_manager state and registers views, so concurrent get_application_builder() calls are serialized.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #61108
This is a follow-up to #62214 (reverted in #62404).
Problem
Concurrent requests to
/auth/tokencause intermittent 500 errors:create_auth_manager()creates a new instance on every call. Under concurrent requests, one thread overwrites_AuthManagerState.instancewhile another's is still initializing.Previous approach (#62214) and why it was reverted
The previous fix added
purge_cached_app()inget_application_builder(), but that function is called at runtime by FAB FastAPI routes (login, user/role management). Clearing the singleton on every call broke subsequent core API requests withKeyError: 'AUTH_USER_REGISTRATION'.This fix
create_auth_manager(): Double-checked locking withisinstancevalidation — creates the singleton once, replaces it only when the auth manager class changes (e.g.SimpleAuthManager→FabAuthManager).init_appbuilder.py: Clearssecurity_manager@cached_propertywheninit_app()is called with a new Flask app, so_init_config()runs against the current app context.No changes to
get_application_builder()or test fixtures.Testing
Added
test_create_auth_manager_thread_safety— verifies singleton behavior under 10 concurrent threads.