Improve diagnostics message when users have secret_key misconfigured

Recently fixed log open-access vulnerability have caused quite a lot of questions and issues from the affected users who did not have webserver/secret_key configured for their workers (effectively leading to random value for those keys for workers) This PR explicitly explains the possible reason for the problem and encourages the user to configure their webserver's secret_key in both - workers and webserver. Related to: #17251 and a number of similar slack discussions.
apache · Aug 4, 2021 · d5d9413 · d5d9413
1 parent a10eb61
commit d5d9413
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/airflow/utils/log/file_task_handler.py b/airflow/utils/log/file_task_handler.py
@@ -22,6 +22,7 @@
 from typing import TYPE_CHECKING, Optional
 
 import httpx
+from httpx import HTTPStatusError
 from itsdangerous import TimedJSONWebSignatureSerializer
 
 from airflow.configuration import AirflowConfigException, conf
@@ -186,6 +187,11 @@ def _read(self, ti, try_number, metadata=None):
                 )
                 response.encoding = "utf-8"
 
+                if response.status_code == 403:
+                    log += "*** !!!! Please make sure that all your webservers and workers have" \
+                           " the same 'secret_key' configured in 'webserver' section !!!!!\n***"
+                    log += "*** See more at https://airflow.apache.org/docs/apache-airflow/" \
+                           "stable/configurations-ref.html#secret-key\n***"
                 # Check if the resource was properly fetched
                 response.raise_for_status()