Race condition causes "AirflowAppBuilder has no attribute 'sm'" on concurrent auth requests

[kimyoungi99]

Apache Airflow Provider(s)

fab

Versions of Apache Airflow Providers

apache-airflow-providers-fab==3.1.1

full-list

apache-airflow-providers-amazon==9.19.0
apache-airflow-providers-celery==3.15.0
apache-airflow-providers-cncf-kubernetes==10.12.0
apache-airflow-providers-common-compat==1.11.0
apache-airflow-providers-common-io==1.7.0
apache-airflow-providers-common-messaging==2.0.1
apache-airflow-providers-common-sql==1.30.2
apache-airflow-providers-docker==4.5.1
apache-airflow-providers-elasticsearch==6.4.2
apache-airflow-providers-fab==3.1.1
apache-airflow-providers-ftp==3.14.0
apache-airflow-providers-git==0.2.0
apache-airflow-providers-google==19.3.0
apache-airflow-providers-grpc==3.9.1
apache-airflow-providers-hashicorp==4.4.1
apache-airflow-providers-http==5.6.2
apache-airflow-providers-microsoft-azure==12.10.1
apache-airflow-providers-mysql==6.4.0
apache-airflow-providers-odbc==4.11.0
apache-airflow-providers-openlineage==2.9.2
apache-airflow-providers-postgres==6.5.1
apache-airflow-providers-redis==4.4.1
apache-airflow-providers-sendgrid==4.2.0
apache-airflow-providers-sftp==5.5.1
apache-airflow-providers-slack==9.6.1
apache-airflow-providers-smtp==2.4.1
apache-airflow-providers-snowflake==6.8.1
apache-airflow-providers-ssh==4.2.1
apache-airflow-providers-standard==1.10.2

Apache Airflow version

3.1.6

Operating System

Debian GNU/Linux 12 (bookworm)

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

What happened

Hi, apologies if this is a duplicate or if I've misunderstood the code - I searched but couldn't find an existing issue.

When sending concurrent requests to /auth/token, intermittent 500 errors occur with:

AttributeError: 'AirflowAppBuilder' object has no attribute 'sm'
  File ".../airflow/providers/fab/www/extensions/init_appbuilder.py", line 548, in _add_permission
    if hasattr(self.sm, "add_permissions_view"):

In my case, this is easily reproducible - even just 2 concurrent requests can trigger the error.

Suspected cause:
It appears that create_auth_manager() in api_fastapi/app.py creates a new instance on every call without checking for an existing one, which may cause race conditions when multiple requests initialize the auth manager simultaneously.

What you think should happen instead

Concurrent requests to /auth/token should not cause server errors.

If my analysis is correct, create_auth_manager() is not thread-safe and concurrent calls cause issues.
Looking at _AuthManagerState and get_auth_manager(), I assume a singleton pattern is intended, but I'm not entirely sure. Either way, it seems like proper synchronization (e.g., double-checked locking) is needed.

How to reproduce

1. Start Airflow with FAB auth manager
2. Send 2+ concurrent POST requests to /auth/token

(example python script)

import asyncio
import httpx
async def main():
    async with httpx.AsyncClient(timeout=30.0) as client:
        tasks = [
            client.post(
                "http://localhost:8080/auth/token",
                json={"username": "admin", "password": "admin"},
            )
            for _ in range(2)
        ]
        results = await asyncio.gather(*tasks, return_exceptions=True)
        for i, r in enumerate(results):
            if isinstance(r, Exception):
                print(f"Request {i}: Exception - {r}")
            else:
                print(f"Request {i}: {r.status_code} - {r.text[:200] if r.status_code != 201 else 'OK'}")
asyncio.run(main())

Note: Other endpoints like /api/v2/dags work fine under concurrent load.

Anything else

This issue started occurring after upgrading to recent versions.
(airflow: 3.0.6 ->3.1.6, fab: 2.4.1 -> 3.1.1)
I suspect it may be related to recent refactoring (#59772, #59953), but I'm not entirely certain.
Happy to provide more details or test any fixes.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[liuzheng]

We have same issue, and it cause POST /api/v2/dags/xxxx/dagRuns got 401 Unauthorized, QPS almost 1k(just swith to test one dag, one apiserver process ), Airflow 3.1.5.
Then we downgrade use airflow 2.8 version, two webserver process, the heightest QPS maybe 4k, no similar issues have been triggered.

I think it is not airflow issue, maybe flask issue

[jason810496]

It appears that create_auth_manager() in api_fastapi/app.py creates a new instance on every call without checking for an existing one, which may cause race conditions when multiple requests initialize the auth manager simultaneously.

Yes, that might be one of the root cause. The linked PR will address it soon.

[yevsh]

Having similar issue:
When calling /auth/token to get token

2026-02-11T07:46:53.703402Z [error    ] Add Permission on View Error: 'AirflowAppBuilder' object has no attribute 'sm' [flask_appbuilder.base] loc=init_appbuilder.py:552
INFO:     10.254.8.2:38258 - "POST /auth/token HTTP/1.1" 500 Internal Server Error
ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "/home/airflow/.local/lib/python3.12/site-packages/uvicorn/protocols/http/httptools_impl.py", line 409, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/applications.py", line 1082, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/applications.py", line 113, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 29, in __call__
    await responder(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 130, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 46, in __call__
    await self.app(scope, receive, self.send_with_compression)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/cors.py", line 85, in __call__
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/base.py", line 189, in __call__
    raise app_exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/base.py", line 144, in coro
    await self.app(scope, receive_or_disconnect, send_no_error)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 63, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 716, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 736, in app
    await route.handle(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 462, in handle
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/applications.py", line 1082, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/applications.py", line 113, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 63, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 716, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 736, in app
    await route.handle(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 290, in handle
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 78, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 75, in app
    response = await f(request)
               ^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/routing.py", line 308, in app
    raw_response = await run_endpoint_function(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/routing.py", line 221, in run_endpoint_function
    return await run_in_threadpool(dependant.call, **values)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/concurrency.py", line 38, in run_in_threadpool
    return await anyio.to_thread.run_sync(func)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/anyio/to_thread.py", line 61, in run_sync
    return await get_async_backend().run_sync_in_worker_thread(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 2525, in run_sync_in_worker_thread
    return await future
           ^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 986, in run
    result = context.run(func, *args)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/api_fastapi/routes/login.py", line 43, in create_token
    with get_application_builder():
         ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/python/lib/python3.12/contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/cli_commands/utils.py", line 69, in get_application_builder
    yield _return_appbuilder(flask_app, db)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/cli_commands/utils.py", line 45, in _return_appbuilder
    init_appbuilder(app, enable_plugins=False)
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/www/extensions/init_appbuilder.py", line 598, in init_appbuilder
    return AirflowAppBuilder(
           ^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/www/extensions/init_appbuilder.py", line 155, in __init__
    self.init_app(app, session)
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/www/extensions/init_appbuilder.py", line 207, in init_app
    self._add_admin_views()
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/www/extensions/init_appbuilder.py", line 303, in _add_admin_views
    auth_manager.register_views()
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/fab_auth_manager.py", line 575, in register_views
    self.security_manager.register_views()
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 463, in register_views
    self.user_view = self.appbuilder.add_view(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/www/extensions/init_appbuilder.py", line 410, in add_view
    self.add_limits(baseview)
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/www/extensions/init_appbuilder.py", line 543, in add_limits
    self.sm.add_limit_view(baseview)
    ^^^^^^^
AttributeError: 'AirflowAppBuilder' object has no attribute 'sm'