potiuk opened a new pull request, #66841:
URL: https://github.com/apache/airflow/pull/66841
## Summary
Upstream Flask-AppBuilder 5.2.1 was released to PyPI on **2026-04-09**
(commit `5dae8164` titled "release: 5.2.1"). The maintainer did not cut a
GitHub release / tag, which is why `gh api .../tags` still shows `v5.2.0` as
the latest. The release has three changes that matter for our vendored
`BaseSecurityManager`:
| Upstream change | Effect on Airflow |
|---|---|
| **PR #2450** — new `on_user_login` / `on_user_login_failed` /
`on_user_logout` no-op hooks; `update_user_auth_stat` now calls
`on_user_login{,_failed}`; `AuthView.logout` / SAML SLO call `on_user_logout` |
**Vendored** — `update_user_auth_stat` is in `override.py`, so the hook calls
must be mirrored or the hooks never fire in Airflow. This PR mirrors them. |
| **PR #2451** — `_is_user_detached` / `_get_safe_user` helpers;
`has_access` rewrite handling `DetachedInstanceError` on `g.user` (LocalProxy
or detached ORM) | Inherited automatically — `has_access` is not vendored in
`override.py`. No mirror needed. |
| **PR #2440** — security log redactions: OAuth tokens / responses no longer
logged at debug level | Inherited automatically — the redacted code paths are
not vendored. |
## Changes
1. `providers/fab/pyproject.toml` — bump `flask-appbuilder==5.2.0` →
`==5.2.1`
2.
`providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py`
— add no-op `on_user_login` / `on_user_login_failed` / `on_user_logout`
mirroring FAB's defaults; append the hook dispatch at the end of
`update_user_auth_stat` matching the upstream call order (after `update_user`,
so counters and `last_login` are persisted before the hook runs).
3.
`providers/fab/tests/unit/fab/auth_manager/security_manager/test_fab_alignment.py`
— bump `EXPECTED_FAB_VERSION` to `"5.2.1"`.
4. `uv.lock` — re-resolved.
`generated/provider_dependencies.json` and `providers/fab/docs/index.rst`
regenerated by prek.
## Validation
- `test_fab_alignment.py` — all 7 alignment tests pass with
`flask-appbuilder==5.2.1` installed (the test compares
`FabAirflowSecurityManagerOverride` against `BaseSecurityManager` from FAB).
- `providers/fab/tests/unit/fab/auth_manager/security_manager/` — all 39
unit tests pass.
## Note on the upstream PyJWT root cause
This PR builds on #66840 (parent branch `pin-pyjwt-in-fab-provider`), which
adds a defensive `pyjwt>=2.11.0` pin to `providers/fab/pyproject.toml` to keep
the FAB provider installable against older `airflow-core` releases. The actual
root cause is **in `flask-jwt-extended`, not FAB**:
- `flask_jwt_extended/tokens.py` does `from jwt.types import Options`, and
`jwt.types.Options` was first added in PyJWT 2.11.0
- `flask-jwt-extended` 4.7.3 (2026-05-08) bumped `requirements.txt` to
`PyJWT==2.12.1` but **did not** lift the floor in `setup.py::install_requires`,
which still reads `PyJWT>=2.0,<3.0`
- That gap means downstream consumers can resolve `flask-jwt-extended` 4.7.3
with PyJWT 2.10.x and still hit the broken import
A follow-up issue against `vimalloc/flask-jwt-extended` to lift their
distributed-package install_requires floor to `PyJWT>=2.11.0` would be the
cleanest long-term fix; until then, FAB's `PyJWT>=2.0.0,<3.0.0` pin is also too
permissive but matches `flask-jwt-extended`'s. Our airflow-side defensive pin
(#66840) closes the loop without waiting on either upstream.
## Test plan
- [ ] CI green on this branch
- [ ] `test_fab_alignment.py` passes in CI (it was the canary test we were
supposed to run on every FAB version bump per the comment at
`pyproject.toml:80`)
- [ ] Compat-3.0.6 matrix job collects providers/fab tests cleanly (the
original failure that motivated the parent PR)
related: #66840
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code (Opus 4.7)
Generated-by: Claude Code (Opus 4.7) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
