Reputation: 447
Access Forbidden while accessing log in airflow with CeleryExecutor
I'm trying to deploy Airflow on kubernetes (on Azure Kubernetes Service) with the celery Executor. However, once a task is done, I get the following error while trying to access its logs:
*** Log file does not exist: /opt/airflow/logs/maintenance/clean_events/2021-08-23T14:46:18.953030+00:00/1.log
*** Fetching from: http://airflow-worker-0.airflow-worker.airflow.svc.cluster.local:8793/log/maintenance/clean_events/2021-08-23T14:46:18.953030+00:00/1.log
*** Failed to fetch log file from worker. 403 Client Error: FORBIDDEN for url: http://airflow-worker-0.airflow-worker.airflow.svc.cluster.local:8793/log/maintenance/clean_events/2021-08-23T14:46:18.953030+00:00/1.log
For more information check: https://httpstatuses.com/403
my charts.yaml is pretty simple
---
airflow:
image:
repository: myrepo.azurecr.io/maintenance-scripts
tag: latest
pullPolicy: Always
pullSecret: "secret"
executor: CeleryExecutor
config:
AIRFLOW__CORE__LOAD_EXAMPLES: "True"
AIRFLOW__KUBERNETES__DELETE_WORKER_PODS: "False"
users:
- username: admin
password: password
role: Admin
email: [email protected]
firstName: admin
lastName: admin
rbac:
create: true
serviceAccount:
create: true
#postgresql:
# enabled: true
workers:
enabled: true
redis:
enabled: true
flower:
enabled: false
global:
postgresql: {
storageClass: managed
}
persistence:
fixPermissions: true
storageClassName: managed
I have not been able to fix this, and it seems to be the most basic conf you can use on airflow, anyone knows where this could come from ?
Thanks a lot
Upvotes: 3
Views: 3999
Answers (2)
Reputation: 314
You need to set the airflow webserver secret key in your yaml file. In your case it will be something like this
airflow:
...
config:
AIRFLOW__WEBSERVER__SECRET_KEY: ${AIRFLOW__WEBSERVER__SECRET_KEY:-some_dummy_key}
Don't forget to set this env variable AIRFLOW__WEBSERVER__SECRET_KEY in your .env file or envrironment else the default "some_dummy_key" will be used
Upvotes: 0
Reputation: 20097
You need to have the same webserver secret configured for both webserver and workers: https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#secret-key
It's been recently fixed as potential security vulnerability - now you need to know the secret key to be able to retrieve logs (it was unauthenticated before).
Upvotes: 4
Related Questions
- Errno 13 Permission denied when Airflow tries to write to logs
- Airflow Kubernetes Executor logs
- Airflow scheduler crashing: AttributeError: 'CeleryKubernetesExecutor' object has no attribute 'send_callback'
- Airflow on Kubernetes: Errno 13 - Permission denied: '/opt/airflow/logs/scheduler
- Airflow on kubernetes cannot fetch logs
- Airflow KubernetesExecutor, logs do not show up in UI until after executor pods complete
- How to set Airflow scheduler log file mode/permissions
- Airflow log file Permission denied
- Airflow: Unable to get persistent logs using KubernetesExecutor and PV (official helm chart)
- Unable to execute Airflow KubernetesExecutor