Pools have disappeared from the Admin menu

[csp33]

Apache Airflow version

2.9.0

If "Other Airflow 2 version" selected, which one?

No response

What happened?

Pools item is not shown in admin menu.

However, I can still access the interface entering the URL <webserver>/pool/list

My user has the Admin role

which can do everything related to Pools

What you think should happen instead?

Pools should be displayed in the Admin menu, just like before

How to reproduce

1. Install Airflow 2.9.0
2. Try to find Pools in the Admin menu.

Operating System

Airflow in Kubernetes

Versions of Apache Airflow Providers

No response

Deployment

Official Apache Airflow Helm Chart

Deployment details

Anything else?

We're using GitHub login.
In local (user/password login) the Pools option still appears in the Admin menu.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[RNHTTR]

Is there anything unique about your environment? I'm able to see Admin -> Pools on 2.9.0

[csp33]

In production we're using the GitHub login.
In local (where we have the user/pwd login) I can still see the Pools menu 🤔

Added to the issue description, thanks!

[vargacypher]

We're facing the same problem reported by @csp33 , but not only with pools.
Sometimes we just see 'configuration' in admin tab, and sometimes it appers again all tabs (pools,variables etc...).

After navigating again for some tabs and come back to pool using directly URL, it apper again.

Obs: Webserver and Scheduller logs doesn't show any error that appers to be related with that.
We're using Airflow Locally on a dedicated server.

[potiuk]

Duplicate of #39135 - seems that it is some kind of race conndition when OAUTH/LDAP authentication is used - and likely related to the optimisation implemented in #36871 but could not find the reason yet. cc: @vincbeck

[potiuk]

In production we're using the GitHub login. In local (where we have the user/pwd login) I can still see the Pools menu 🤔

Added to the issue description, thanks!

What's your Github integration configuration @csp33 (Without secrets?) ?

[csp33]

In production we're using the GitHub login. In local (where we have the user/pwd login) I can still see the Pools menu 🤔
Added to the issue description, thanks!

What's your Github integration configuration @csp33 (Without secrets?) ?

This is my webserver_config.py :

        import os
        from typing import Dict, Any, List, Union

        from airflow.www.security import AirflowSecurityManager
        from flask_appbuilder import expose
        from flask_appbuilder.security.manager import AUTH_OAUTH
        from flask_appbuilder.security.views import AuthOAuthView

        AUTH_TYPE = AUTH_OAUTH
        AUTH_USER_REGISTRATION = True
        AUTH_USER_REGISTRATION_ROLE = "Viewer"
        PERMANENT_SESSION_LIFETIME = 1800


        OAUTH_PROVIDERS = [
            {
                "name": "github",
                "icon": "fa-github",
                "token_key": "access_token",
                "remote_app": {
                    "client_id": os.getenv("GITHUB_OAUTH_APP_ID"),
                    "client_secret": os.getenv("GITHUB_OAUTH_APP_SECRET"),
                    "api_base_url": "https://api.github.com",
                    "client_kwargs": {"scope": "read:user, read:org"},
                    "access_token_url": "https://github.com/login/oauth/access_token",
                    "authorize_url": "https://github.com/login/oauth/authorize",
                    "request_token_url": None,
                },
            },
        ]

        class CustomAuthRemoteUserView(AuthOAuthView):
            @expose("/logout/")
            def logout(self):
                """Delete access token before logging out."""
                return super().logout()


        class GithubAuthorizer(AirflowSecurityManager):
            authoauthview = CustomAuthRemoteUserView

            def get_oauth_user_info(
                    self, provider: str, resp: Any
            ) -> Dict[str, Union[str, List[str]]]:
                remote_app = self.appbuilder.sm.oauth_remotes[provider]
                me = remote_app.get("user")
                user_data = me.json()
                username = user_data["login"]

                try:
                    name_surname_list = user_data['name'].split(" ", 1)
                    first_name = name_surname_list[0]
                    last_name = name_surname_list[1]
                except Exception:
                    first_name = last_name = "unknown"

                return {
                    "username": username,
                    "email": user_data["email"],
                    "first_name": first_name,
                    "last_name": last_name,
                }

        SECURITY_MANAGER_CLASS = GithubAuthorizer

[potiuk]

Absolutely cannot reproduce - even with your settings:

Questions:

• How did you make your user "Admin" after it's been registered as user?
• Do you have more than one webserver instances running? Are you sure they are all restarted/upgraded to 2.9.0?
• Can you see (at least few times while you are seeing missing Admin menus) what are the users and their roles using airflow users list command (see below) - does it change?
• Is it possible that you have AUTH_SYNC_ROLES_AT_LOGIN = True set in all or some of your webservers ?
• Is it possible that you have two users created with different usernames like this ?

airflow users list

id | username      | email                        | first_name | last_name | roles       
===+===============+==============================+============+===========+=============
1  | github_potiuk | github_potiuk@email.notfound |            |           | Admin       
2  | potiuk        | jarek@potiuk.com             | Jarek      | Potiuk    | Viewer                                                                                      
```

[csp33]

Now the Pools option always appear, but the Variables, connections, etc. are the ones that randomly show when I refresh the page 😮

I have 2 webservers and in both I'm recognised as an Admin. The output is the same when I can see the options and when I can't.

In the profile page I can confirm that I'm logged in as admin

How did you make your user "Admin" after it's been registered as user?

I can't remember right now. Maybe I used the CLI to perform airflow users add-role. After that, all the roles have been granted from the List Users page.

Do you have more than one webserver instances running? Are you sure they are all restarted/upgraded to 2.9.0?

All of them are fresh pods using 2.9.0 image.

Can you see (at least few times while you are seeing missing Admin menus) what are the users and their roles using airflow users list command (see below) - does it change?

Command output is the same (see above)

Is it possible that you have AUTH_SYNC_ROLES_AT_LOGIN = True set in all or some of your webservers ?

No, that is not set anywhere

Is it possible that you have two users created with different usernames like this ?

Checked it and that doesn't happen

Thanks for the help!

[potiuk]

I think I found the reason (cc: @vincbeck). It required multiple users with different permissions using the same server gunicorn worker, that's why likely it was difficult to reproduce on dev server.

Fix here: #39229