Upgrade FAB to 4.3.0

[potiuk]

FAB 4.3.0 added rate limiting and we would like to upgrade to this version.

This requires to bring some of the changes from the PRs merged in Flask App Builder:

• feat: Add rate limiter dpgaspar/Flask-AppBuilder#1976
• fix: auth rate limit docs and default rate dpgaspar/Flask-AppBuilder#1997
• fix: disable rate limit by default dpgaspar/Flask-AppBuilder#1999

While Flask App Builder disabled rate limitig by default, Airlfow is "end product" using it and we decided to enable it.

---

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

[potiuk]

This one attempts to sync the changes in FAB 4.3.0 including @bolkedebruin rate limiter.

I think as an "end product" we should have rate limiting enabled by default, but would love your comments.

As usual, I am not fully confident if this is all that we need because there are some parts of FAB security manager that we do not have at all in our updated copy - so I would appreciate any comments review there. Also it would be great to test if rate limiting actually works as expected (I assume you had some manual testing done for that @bolkedebruin, so maybe you could try it as well (as long as we pass all the tests).

Any other comments there - I'd love to hear them.

[potiuk]

Nice ... It seems our unit tests are failing now because .... rate limit has been exceeded :)

[2023-02-25T17:21:02.852+0000] {extension.py:981} INFO - ratelimit 10 per 20 second (127.0.0.1) exceeded at endpoint: AuthDBView.login

[potiuk]

I think all the tests should pass now.

[potiuk]

Yep. Ready for tests/review. Also added specific test for rate_limiting

[potiuk]

Not sure why this one is here, but it is one of the things the AppBuilder in FAB has comparing to us cc: @bolkedebruin - maybe you know how RATELIMIT_ENABLED relates to AUTH_RATE_LIMITED?

[potiuk]

cc: @dpgaspar ?

[dpgaspar]

If I'm not mistaken, RATELIMIT_ENABLED will broadly enable rate limit since it can be added on ModelRestApi classes and AUTH_RATE_LIMITED will need RATELIMIT_ENABLED and add it to the auth views

[potiuk]

I figured those would be good defaults.

[potiuk]

I don't think we expose that view as we are not exposing other views, but I added it anyway.

[potiuk]

Also tested it manually:

BTW. Not sure if you are aware @bolkedebruin (@dpgaspar) that rate limiting implemented currently is "per gunicorn process" not per "webserver" - so if you have say 3 gunicorn processes, really the limit you get (assuming random request distribution) is 3 x higher on average.

[potiuk]

Anyone ? @bolkedebruin

[dpgaspar]

If I'm not mistaken, RATELIMIT_ENABLED will broadly enable rate limit since it can be added on ModelRestApi classes and AUTH_RATE_LIMITED will need RATELIMIT_ENABLED and add it to the auth views

[dpgaspar]

Also tested it manually:

BTW. Not sure if you are aware @bolkedebruin (@dpgaspar) that rate limiting implemented currently is "per gunicorn process" not per "webserver" - so if you have say 3 gunicorn processes, really the limit you get (assuming random request distribution) is 3 x higher on average.

Was not aware but makes perfect sense, to rate limit globally a web farm with multiple web servers with multiple gunicorn processes you can use RATELIMIT_STORAGE_URI with redis for example.

More useful settings can be made for rate limiting based on username, host etc can be found here: https://flask-limiter.readthedocs.io/en/stable/configuration.html

Will Airflow allow admin's to tune these settings also?

[potiuk]

Will Airflow allow admin's to tune these settings also?

It might make sense to add ANY flask configuration (that would indeed be useful). I will take a look

[potiuk]

If I'm not mistaken, RATELIMIT_ENABLED will broadly enable rate limit since it can be added on ModelRestApi classes and AUTH_RATE_LIMITED will need RATELIMIT_ENABLED and add it to the auth views

Yep. I linked those two in Airflow configuration now.

Was not aware but makes perfect sense, to rate limit globally a web farm with multiple web servers with multiple gunicorn processes you can use RATELIMIT_STORAGE_URI with redis for example.

More useful settings can be made for rate limiting based on username, host etc can be found here: https://flask-limiter.readthedocs.io/en/stable/configuration.html

Will Airflow allow admin's to tune these settings also?

I've added more details and documenation on how to configure those. It's possible - the same way as authentication (via webserver_config.py) - but it was not "explicitly" stated in the docs (the docs only mentioned that you can configure authentication options this way, but not any other flask plugin. I made it explicitly documented and I also added a separate section for "rate limiting" explaining the (a little unexpected) default behaviour where each gunicorn process has their own limit and explained how the users could configure storage to achieve shared limits.

I think that one is ready for final review.

[bolkedebruin]

Sorry about not seeing this @potiuk ping me on slack (next time) if you want me to take a look, you know my email count ;-)

[potiuk]

No worries. I got good support from @dpgaspar