Merged
Conversation
cruseakshay
force-pushed
the
fix/fab-pending-rollback-session-cleanup
branch
2 times, most recently
from
c2912c7 to
45bb04d
Compare
vincbeck
reviewed
Feb 19, 2026
cruseakshay
force-pushed
the
fix/fab-pending-rollback-session-cleanup
branch
from
157560c to
c650489
Compare
Co-authored-by: Cursor <cursoragent@cursor.com>
cruseakshay
force-pushed
the
fix/fab-pending-rollback-session-cleanup
branch
from
c650489 to
2b18fa6
Compare
vincbeck
approved these changes
Feb 19, 2026
|
This fix is not working for me. apache-airflow = 3.1.7 Downgrade |
Contributor
I don't think there is a release with this fix yet. I did a fix related to 3.3.0 and we needed this PR and that for full fix of FAB issues in 3.3.0, but as such we need a new release to use them afaik |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When using FAB auth manager, a database connection drop (e.g. PostgreSQL's
idle_in_transaction_session_timeout) causes the API server to return HTTP 500on every subsequent request until it is restarted.
The cascade happens in the JWT auth path hit on every authenticated request:
JWTRefreshMiddleware→resolve_user_from_token→deserialize_userdeserialize_useruses FAB's scoped session (self.appbuilder.session). When aconnection dies, SQLAlchemy raises
OperationalErroron the first request andleaves the session in an invalid state. All following requests reuse the same
poisoned thread-local session and raise
PendingRollbackError.This is distinct from the WSGI Flask-view path fixed in #61480 and the
load_userpath fixed in #61943 — those do not cover the JWT tokendeserialization path.
Solution
Catch
SQLAlchemyErrorindeserialize_user, callsession.remove()todiscard the poisoned scoped session, and re-raise the original exception.
The next request gets a fresh connection from the pool and succeeds.
session.remove()is wrapped incontextlib.suppress(Exception)so a failureduring cleanup can never mask the original database error.
discovered) — behaviour is unchanged.
Testing
test_db_error_calls_session_remove— parametrized overOperationalErrorand
PendingRollbackError: verifiessession.remove()is called on each.test_db_error_propagates_when_session_remove_raises— verifies the originalSQLAlchemyErroris always what propagates, even whensession.remove()itselfthrows.
Fixes #61761 | #61518
Related to #61480, #61943