-
Notifications
You must be signed in to change notification settings - Fork 17.3k
Fetch deadline callback context via Execution API at runtime #66608
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
o-nikolas
merged 24 commits into
apache:main
from
aws-mwaa:ghaeli/callback-context-execution-api
Jun 23, 2026
Merged
Changes from all commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
03005d5
Fetch deadline callback context via Execution API at runtime
dbe8e66
Retrigger CI
a25a2e2
Retrigger CI after infra timeouts (kind/gradle download 504)
878eb0f
Add Jinja template rendering for deadline callback kwargs
f348575
Harden deadline callback execution against edge-case failures
ba943f3
Fix scheduled DagRuns never getting a deadline (UNEXPECTED COMMIT und…
69a85db
Render Jinja in async deadline-callback kwargs (match sync path)
e028ab9
Reformat: collapse wrapped isinstance to satisfy ruff-format
65ed4be
Address review: shared Jinja render helper for both paths + update docs
8cc7339
Address review: assemble context['deadline'] inside build_context_fro…
3dfdcc6
Retry executor deadline callbacks on transient context-fetch failures
cfee847
Trim deadline-callback tests to PR scope
f4d2787
Fix static checks: SDK-import noqa + coerce_to_timedelta typing
e55b832
Use fixed datetime instead of datetime.now() in deadline isolation tests
98193ce
Keep deadline test dates within MySQL TIMESTAMP range
0d81914
Drop XCom route changes — they belong to #66611, not this PR
e6813f7
Trim deadline-callback tests substantially toward Airflow's coverage …
7d96957
Re-trigger CI (transient boto3 inventory 403 in unrelated amazon-prov…
52e2421
Resolve VariableInterval through full secrets chain, not table-only
18d7f67
Re-trigger CI (flaky example_trigger_controller_dag e2e: dag_run uniq…
c67b2c2
Fix rebase fallout: guard trigger.callback access in _create_workload
ae4941a
Re-trigger CI
c99bfb5
Re-trigger CI
9920112
Override require_auth in in-process Execution API to fix test hangs
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@seanghaeli I'm sorry I didn't catch this earlier, but this change is regression on security, so this part at least (if not the entire PR?) needs reverting.
token:workloadis essentially used for long-lived tokens (~24hrs) when the TI is in queued state between the executor Queueing the task, where a worker calls the ti/runendpoint to exchange it for a short lived (5-10mins) token that has more permissions.This primary driver for this change was to make the tokens that are visible via workers (either in the Celery message bus, or in the KE pod spec itself) only useable once (i.e. can't be replayed, handled by the TI state transiation requirements) and for a single thing (just for calling the run endpoint)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the right fix here? Between this comment and Kaxil's, is there a way to make this work within the existing token types or do we need a new token type entirely, maybe, instead of trying to shoe-horn what he is trying to do into a system that wasn't built for it?
Also, I clearly need to brush up on the tokens and their intended uses. I didn't know about that intentional down-scoping.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, maybe this is a hint from the universe that we need tests around this to prevent accidental (or at least un-discussed) token scope changes? Let me see what I can come up with and I'll tag you in it for a review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need a new token for this kind of exchange @ashb? Also the code/functionality that should invalidate the workload token after the first use (since we're only intending for it to be used once for the exchange for the short lived token) doesn't seem to be running, otherwise testing would have caught that here? Any who, I think we should circle back on this one and regroup a bit.
Shall we revert this one? @seanghaeli @ferruzzi?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes we should revert to unblock 3.3.0b2 and we can figure out solution for this meanwhile