Remove auth backends from core Airflow

Dockerfile.ci

@@ -1017,7 +1017,6 @@ function start_api_server_with_examples(){
         return
     fi
     export AIRFLOW__CORE__LOAD_EXAMPLES=True
-    export AIRFLOW__API__AUTH_BACKENDS=airflow.providers.fab.auth_manager.api.auth.backend.session,airflow.providers.fab.auth_manager.api.auth.backend.basic_auth
     export AIRFLOW__WEBSERVER__EXPOSE_CONFIG=True
     echo
     echo "${COLOR_BLUE}Initializing database${COLOR_RESET}"

airflow/api/client/__init__.py

@@ -19,20 +19,8 @@
 
 from __future__ import annotations
 
-from airflow import api
 from airflow.api.client.local_client import Client
 
 
 def get_current_api_client() -> Client:
-    """Return current API Client based on current Airflow configuration."""
-    auth_backends = api.load_auth()
-    session = None
-    for backend in auth_backends:
-        session_factory = getattr(backend, "create_client_session", None)
-        if session_factory:
-            session = session_factory()
-        api_client = Client(
-            auth=getattr(backend, "CLIENT_AUTH", None),
-            session=session,
-        )
-    return api_client
+    return Client()

airflow/config_templates/config.yml

@@ -1380,15 +1380,6 @@ api:
       type: string
       example: ~
       default: ""
-    auth_backends:
-      description: |
-        Comma separated list of auth backends to authenticate users of the API. See
-        `Security: API
-        <https://airflow.apache.org/docs/apache-airflow/stable/security/api.html>`__ for possible values
-      version_added: 2.3.0
-      type: string
-      example: ~
-      default: "airflow.providers.fab.auth_manager.api.auth.backend.session"
     maximum_page_limit:
       description: |
         Used to set the maximum page limit for API requests. If limit passed as param

airflow/configuration.py

@@ -375,13 +375,6 @@ def inversed_deprecated_sections(self):
                 "3.0",
             ),
         },
-        "api": {
-            "auth_backends": (
-                re2.compile(r"^airflow\.api\.auth\.backend\.deny_all$|^$"),
-                "airflow.providers.fab.auth_manager.api.auth.backend.session",
-                "3.0",
-            ),
-        },
         "elasticsearch": {
             "log_id_template": (
                 re2.compile("^" + re2.escape("{dag_id}-{task_id}-{logical_date}-{try_number}") + "$"),
@@ -675,35 +668,9 @@ def validate(self):
                         version=version,
                     )
 
-        self._upgrade_auth_backends()
         self._upgrade_postgres_metastore_conn()
         self.is_validated = True
 
-    def _upgrade_auth_backends(self):
-        """
-        Ensure a custom auth_backends setting contains session.
-
-        This is required by the UI for ajax queries.
-        """
-        old_value = self.get("api", "auth_backends", fallback="")
-        if "airflow.providers.fab.auth_manager.api.auth.backend.session" not in old_value:
-            new_value = old_value + ",airflow.providers.fab.auth_manager.api.auth.backend.session"
-            self._update_env_var(section="api", name="auth_backends", new_value=new_value)
-            self.upgraded_values[("api", "auth_backends")] = old_value
-
-            # if the old value is set via env var, we need to wipe it
-            # otherwise, it'll "win" over our adjusted value
-            old_env_var = self._env_var_name("api", "auth_backend")
-            os.environ.pop(old_env_var, None)
-
-            warnings.warn(
-                "The auth_backends setting in [api] missed airflow.providers.fab.auth_manager.api.auth.backend.session "
-                "in the running config, which is needed by the UI. Please update your config before "
-                "Apache Airflow 3.0.",
-                FutureWarning,
-                stacklevel=1,
-            )
-
     def _upgrade_postgres_metastore_conn(self):
         """
         Upgrade SQL schemas.

airflow/providers_manager.py

@@ -422,7 +422,6 @@ def __init__(self):
         self._secrets_backend_class_name_set: set[str] = set()
         self._executor_class_name_set: set[str] = set()
         self._provider_configs: dict[str, dict[str, Any]] = {}
-        self._api_auth_backend_module_names: set[str] = set()
         self._trigger_info_set: set[TriggerInfo] = set()
         self._notification_info_set: set[NotificationInfo] = set()
         self._provider_schema_validator = _create_provider_info_schema_validator()
@@ -574,12 +573,6 @@ def _initialize_providers_configuration(self):
 
         conf.load_providers_configuration()
 
-    @provider_info_cache("auth_backends")
-    def initialize_providers_auth_backends(self):
-        """Lazy initialization of providers API auth_backends information."""
-        self.initialize_providers_list()
-        self._discover_auth_backends()
-
     @provider_info_cache("plugins")
     def initialize_providers_plugins(self):
         self.initialize_providers_list()
@@ -1096,14 +1089,6 @@ def _discover_secrets_backends(self) -> None:
                     if _correctness_check(provider_package, secrets_backends_class_name, provider):
                         self._secrets_backend_class_name_set.add(secrets_backends_class_name)
 
-    def _discover_auth_backends(self) -> None:
-        """Retrieve all API auth backends defined in the providers."""
-        for provider_package, provider in self._provider_dict.items():
-            if provider.data.get("auth-backends"):
-                for auth_backend_module_name in provider.data["auth-backends"]:
-                    if _correctness_check(provider_package, auth_backend_module_name + ".init_app", provider):
-                        self._api_auth_backend_module_names.add(auth_backend_module_name)
-
     def _discover_executors(self) -> None:
         """Retrieve all executors defined in the providers."""
         for provider_package, provider in self._provider_dict.items():
@@ -1237,12 +1222,6 @@ def secrets_backend_class_names(self) -> list[str]:
         self.initialize_providers_secrets_backends()
         return sorted(self._secrets_backend_class_name_set)
 
-    @property
-    def auth_backend_module_names(self) -> list[str]:
-        """Returns set of API auth backend class names."""
-        self.initialize_providers_auth_backends()
-        return sorted(self._api_auth_backend_module_names)
-
     @property
     def executor_class_names(self) -> list[str]:
         self.initialize_providers_executors()
@@ -1296,7 +1275,6 @@ def _cleanup(self):
         self._secrets_backend_class_name_set.clear()
         self._executor_class_name_set.clear()
         self._provider_configs.clear()
-        self._api_auth_backend_module_names.clear()
         self._trigger_info_set.clear()
         self._notification_info_set.clear()
         self._plugins_set.clear()

dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py

@@ -1025,8 +1025,6 @@ def _deploy_helm_chart(
             "-v",
             "1",
             "--set",
-            "config.api.auth_backends=airflow.providers.fab.auth_manager.api.auth.backend.basic_auth",
-            "--set",
             "config.logging.logging_level=DEBUG",
             "--set",
             f"executor={executor}",

docs/apache-airflow/howto/docker-compose/docker-compose.yaml

@@ -60,8 +60,6 @@ x-airflow-common:
     AIRFLOW__CORE__FERNET_KEY: ''
     AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
     AIRFLOW__CORE__LOAD_EXAMPLES: 'true'
-    AIRFLOW__API__AUTH_BACKENDS: >-
-       airflow.providers.fab.auth_manager.api.auth.backend.basic_auth,airflow.providers.fab.auth_manager.api.auth.backend.session
     AIRFLOW__WORKERS__EXECUTION_API_SERVER_URL: 'http://airflow-apiserver:8080/execution/'
     # yamllint disable rule:line-length
     # Use simple http server on scheduler for health checks

docs/exts/operators_and_hooks_ref.py

@@ -587,19 +587,6 @@ def logging(header_separator: str):
     )
 
 
-@cli.command()
-@option_header_separator
-def auth_backends(header_separator: str):
-    """Renders Logger content"""
-    print(
-        _common_render_list_content(
-            header_separator=header_separator,
-            resource_type="auth-backends",
-            template="auth_backend.rst.jinja2",
-        )
-    )
-
-
 @cli.command()
 @option_header_separator
 def secret_backends(header_separator: str):

newsfragments/47399.significant.rst

@@ -0,0 +1,12 @@
+Removed auth backends. Auth backends are no longer used in Airflow 3. Please refer to documentation on how to use Airflow 3 public API.
+
+* Types of change
+
+  * [ ] Dag changes
+  * [ ] Config changes
+  * [ ] API changes
+  * [ ] CLI changes
+  * [ ] Behaviour changes
+  * [ ] Plugin changes
+  * [ ] Dependency changes
+  * [x] Code interface changes

scripts/docker/entrypoint_ci.sh

@@ -347,7 +347,6 @@ function start_api_server_with_examples(){
         return
     fi
     export AIRFLOW__CORE__LOAD_EXAMPLES=True
-    export AIRFLOW__API__AUTH_BACKENDS=airflow.providers.fab.auth_manager.api.auth.backend.session,airflow.providers.fab.auth_manager.api.auth.backend.basic_auth
     export AIRFLOW__WEBSERVER__EXPOSE_CONFIG=True
     echo
     echo "${COLOR_BLUE}Initializing database${COLOR_RESET}"

tests/always/test_providers_manager.py

@@ -416,11 +416,6 @@ def test_secrets_backends(self):
         secrets_backends_class_names = list(provider_manager.secrets_backend_class_names)
         assert len(secrets_backends_class_names) > 4
 
-    def test_auth_backends(self):
-        provider_manager = ProvidersManager()
-        auth_backend_module_names = list(provider_manager.auth_backend_module_names)
-        assert len(auth_backend_module_names) > 0
-
     def test_trigger(self):
         provider_manager = ProvidersManager()
         trigger_class_names = list(provider_manager.trigger)

tests/core/test_configuration.py

@@ -614,31 +614,6 @@ def test_config_value_types(self, key, type):
         section_dict = conf.getsection("example_section")
         assert isinstance(section_dict[key], type)
 
-    def test_auth_backends_adds_session(self):
-        with patch("os.environ", {"AIRFLOW__API__AUTH_BACKEND": None}):
-            test_conf = AirflowConfigParser(default_config="")
-            # Guarantee we have deprecated settings, so we test the deprecation
-            # lookup even if we remove this explicit fallback
-            test_conf.deprecated_values = {
-                "api": {
-                    "auth_backends": (
-                        re.compile(r"^airflow\.api\.auth\.backend\.deny_all$|^$"),
-                        "airflow.providers.fab.auth_manager.api.auth.backend.session",
-                        "3.0",
-                    ),
-                },
-            }
-            test_conf.read_dict(
-                {"api": {"auth_backends": "airflow.providers.fab.auth_manager.api.auth.backend.basic_auth"}}
-            )
-
-            with pytest.warns(FutureWarning):
-                test_conf.validate()
-                assert (
-                    test_conf.get("api", "auth_backends")
-                    == "airflow.providers.fab.auth_manager.api.auth.backend.basic_auth,airflow.providers.fab.auth_manager.api.auth.backend.session"
-                )
-
     def test_command_from_env(self):
         test_cmdenv_config = textwrap.dedent("""\
             [testcmdenv]