sergiocorona opened a new issue #22655:
URL: https://github.com/apache/airflow/issues/22655
### Apache Airflow version
2.2.4 (latest released)
### What happened
I am currently on version 2.1.2, I am using the Github OAuth feature to
grant access to my webserver and everything is working fine, When I Upgraded to
version 2.2.4 I started getting the next error:
[2022-03-31 15:24:20,511] {views.py:666} ERROR - Error authorizing OAuth
access token: maximum recursion depth exceeded while calling a Python object
And from the GUI, this message is displayed: The request to sign in was
denied.
### What you think should happen instead
I should be redirected to the DAG home page on airflow
I was following the next documentation:
https://airflow.apache.org/docs/apache-airflow/stable/security/webserver.html?highlight=webserver
### How to reproduce
_No response_
### Operating System
NAME="Alpine Linux" ID=alpine VERSION_ID=3.14.5 PRETTY_NAME="Alpine Linux
v3.14" HOME_URL="https://alpinelinux.org/";
BUG_REPORT_URL="https://bugs.alpinelinux.org/";
### Versions of Apache Airflow Providers
apache-airflow-providers-amazon==3.0.0
apache-airflow-providers-celery==2.1.0
apache-airflow-providers-cncf-kubernetes==3.0.2
apache-airflow-providers-databricks==2.2.0
apache-airflow-providers-ftp==2.0.1
apache-airflow-providers-http==2.0.3
apache-airflow-providers-imap==2.2.0
apache-airflow-providers-microsoft-mssql==2.1.0
apache-airflow-providers-postgres==3.0.0
apache-airflow-providers-redis==2.0.1
apache-airflow-providers-sftp==2.4.1
apache-airflow-providers-sqlite==2.1.0
apache-airflow-providers-ssh==2.4.0
### Deployment
Virtualenv installation
### Deployment details
This is the webserver_config.py file that I am using
import os
from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.www.security import AirflowSecurityManager
import logging
from typing import Dict, Any, List, Union
log = logging.getLogger(__name__)
log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO"))
DWNAM_ORG_ID = 111
DEVOPS_TEAM_ID = 222
DEVS_TEAM_ID = 333
OPS_TEAM_ID = 444
FAB_PUBLIC_ROLE = "Public"
GIT_URL = 'https://github.[company].com/api/v3/'
AUTH_TYPE = AUTH_OAUTH
# Replace users database roles each login with those received from OAUTH/LDAP
AUTH_ROLES_SYNC_AT_LOGIN = True
AUTH_USER_REGISTRATION = (
True # allow users who are not already in the FAB DB to register
)
# A mapping from LDAP/OAUTH group names to FAB roles
AUTH_ROLES_MAPPING = {
# Github Enterprise Group to Airflow Role Mapping
'devops': ['Admin'],
'ops': ['Op'],
'devs': ['User'],
}
OAUTH_PROVIDERS = [
{
'name': 'github',
'token_key': 'access_token',
'icon': 'fa-github',
'remote_app': {
'api_base_url': 'https://github.[company].com/api/v3/users',
'client_kwargs': {"scope": "read:user, read:org"},
'access_token_url':
'https://github.[company].com/login/oauth/access_token',
'authorize_url':
'https://github.[company].com/login/oauth/authorize',
'request_token_url': None,
'client_id': os.environ['CLIENT_ID'],
'client_secret': os.environ['CLIENT_SECRET'],
},
}
]
def team_parser(team_payload: Dict[str, Any]) -> List[int]:
# Parse the team payload from Github however you want here.
return [team["id"] for team in team_payload]
def map_roles(team_list: List[int]) -> List[str]:
# Associate the team IDs with Roles here.
# The expected output is a list of roles that FAB will use to Authorize
the user.
team_role_map = {
DEVOPS_TEAM_ID: "Admin",
DEVS_TEAM_ID: "User",
OPS_TEAM_ID: "Op",
}
return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in
team_list))
class GithubTeamAuthorizer(AirflowSecurityManager):
# In this example, the oauth provider == 'github'.
# If you ever want to support other providers, see how it is done here:
#
https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550
def get_oauth_user_info(
self, provider: str, resp: Any
) -> Dict[str, Union[str, List[str]]]:
# Creates the user info payload from Github.
# The user previously allowed your app to act on thier behalf,
# so now we can query the user and teams endpoints for their data.
# Username and team membership are added to the payload and returned
to FAB.
remote_app = self.appbuilder.sm.oauth_remotes[provider]
me = remote_app.get("user")
user_data = me.json()
team_data = remote_app.get("user/teams")
teams = team_parser(team_data.json())
roles = map_roles(teams)
log.debug(
f"User info from Github: {user_data}\n" f"Team info from Github:
{teams}"
)
return {"username": "github_" + user_data.get("login"), "role_keys":
roles}
SECURITY_MANAGER_CLASS = GithubTeamAuthorizer
### Anything else
This issue is always happening to me on version 2.2.4
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
