Skip to content

Fix FAB password hashing to respect FAB_PASSWORD_HASH_METHOD config#65735

Merged
vincbeck merged 1 commit intoapache:mainfrom
srchilukoori:fix/fab-password-hash-method-ignored
Apr 27, 2026
Merged

Fix FAB password hashing to respect FAB_PASSWORD_HASH_METHOD config#65735
vincbeck merged 1 commit intoapache:mainfrom
srchilukoori:fix/fab-password-hash-method-ignored

Conversation

@srchilukoori
Copy link
Copy Markdown
Contributor

@srchilukoori srchilukoori commented Apr 23, 2026
edited
Loading

Description

FabAirflowSecurityManagerOverride contains three bare generate_password_hash(password) calls in reset_password, add_user, and add_register_user that ignore the FAB_PASSWORD_HASH_METHOD key in the Flask app config. On FIPS-compliant systems, operators set this config to an approved algorithm (e.g. pbkdf2:sha256) but the hardcoded calls bypass it, causing authentication failures.

The fix introduces a _hash_password() helper that reads FAB_PASSWORD_HASH_METHOD from current_app.config (defaulting to scrypt) and replaces all three call sites.

Fixes #65728

Changes

  • providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py: Add _hash_password(password) helper; replace 3 bare generate_password_hash(password) calls in reset_password, add_user, and add_register_user.
  • providers/fab/tests/unit/fab/auth_manager/test_security.py: Add 4 tests covering helper config-forwarding, scrypt fallback, and both callers.

Root Cause

# Before — method hardcoded to werkzeug default, ignores FAB_PASSWORD_HASH_METHOD
user.password = generate_password_hash(password)

# After — reads FAB_PASSWORD_HASH_METHOD from app config
def _hash_password(self, password: str) -> str:
    method = current_app.config.get("FAB_PASSWORD_HASH_METHOD", "scrypt")
    return generate_password_hash(password, method=method)

user.password = self._hash_password(password)
Was generative AI tooling used to co-author this PR?
  • Yes Claude
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

@srchilukoori srchilukoori requested a review from vincbeck as a code owner April 23, 2026 17:08
@srchilukoori srchilukoori force-pushed the fix/fab-password-hash-method-ignored branch from a3c2bb4 to 9bbe0c2 Compare April 23, 2026 17:34
@srchilukoori srchilukoori requested a review from vincbeck April 23, 2026 18:29
@vincbeck
Copy link
Copy Markdown
Contributor

vincbeck commented Apr 23, 2026

CI is failing

@srchilukoori srchilukoori force-pushed the fix/fab-password-hash-method-ignored branch 2 times, most recently from e7adb2d to e78a7ad Compare April 23, 2026 22:59
@srchilukoori srchilukoori force-pushed the fix/fab-password-hash-method-ignored branch from e78a7ad to 594130d Compare April 25, 2026 03:24
@srchilukoori
Copy link
Copy Markdown
Contributor Author

srchilukoori commented Apr 25, 2026

@vincbeck please merge the PR. Thank you.

@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label Apr 27, 2026
@vincbeck vincbeck merged commit c50210e into apache:main Apr 27, 2026
89 checks passed
@vincbeck vincbeck mentioned this pull request May 6, 2026
Open
79 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck Awaiting requested review from vincbeck vincbeck is a code owner

Assignees

No one assigned

Labels

area:providers provider:fab ready for maintainer review Set after triaging when all criteria pass.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] CLI airflow users create ignores FAB_PASSWORD_HASH_METHOD and fails on FIPS systems (Werkzeug 3.0+)

3 participants

@srchilukoori @vincbeck @potiuk