wesleyemery opened a new issue, #23509:
URL: https://github.com/apache/airflow/issues/23509
### Official Helm Chart version
1.5.0 (latest released)
### Apache Airflow version
2.2.3
### Kubernetes Version
1.22.6
### Helm Chart configuration
```
- name: Helm Install Airflow
run: |
tee -a $GITHUB_WORKSPACE/airflow-override-vaules.yaml <<EOF
executor: "CeleryExecutor"
images:
airflow:
repository: "${{ secrets.ACR_LOGIN_URL }}/${{ env.APP_NAME }}"
tag: ${{ env.GITHUB_ENV }}-${{ github.sha }}
useDefaultImageForMigration: true
nodeSelector:
agentpool: "airflow"
webserverSecretKey: ${{ secrets.AIRFLOW_SECRET_KEY }}
workers:
securityContext:
runAsUser: 5000
fsGroup: 0
ingress:
enabled: true
web:
annotations:
kubernetes.io/ingress.class: "nginx"
hosts: ["airflow.beertech.com"]
tls:
enabled: true
secretName: ingress-tls-secret
extraEnv: |-
- name: AIRFLOW__METRICS__STATSD_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
config:
metrics: # or 'scheduler' for Airflow 1
statsd_on: true
statsd_port: 8125
api:
auth_backend: airflow.api.auth.backend.basic_auth
webserver:
webserverConfig: |
from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_OAUTH
import os
SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')
AUTH_TYPE = AUTH_OAUTH
# registration configs
AUTH_USER_REGISTRATION = True # allow users who are not
already in the FAB DB
AUTH_USER_REGISTRATION_ROLE = "Public" # this role will be
given in addition to any AUTH_ROLES_MAPPING
# the list of providers which the user can choose from
OAUTH_PROVIDERS = [
{
"name": "azure",
"icon": "fa-windows",
"token_key": "access_token",
"remote_app": {
"client_id": os.environ.get("${{
secrets.AIRFLOW_CLIENT_ID }}"),
"client_secret": os.environ.get("${{
secrets.AIRFLOW_SECRET }}"),
"api_base_url": "https://login.microsoftonline.com/${{
secrets.TENANT_ID }}/oauth2",
"client_kwargs": {
"scope": "User.read name preferred_username email
profile upn",
"resource": os.environ.get("${{
secrets.AIRFLOW_CLIENT_ID }}"),
},
"request_token_url": None,
"access_token_url":
"https://login.microsoftonline.com/${{ secrets.TENANT_ID}}/oauth2/token",
"authorize_url":
"https://login.microsoftonline.com/${{ secrets.TENANT_ID}}/oauth2/authorize",
}
}
]
# a mapping from the values of `userinfo["role_keys"]` to a
list of FAB roles
AUTH_ROLES_MAPPING = {
"FAB_ADMINS": ["Admin"],
}
# if we should replace ALL the user's roles each login, or
only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep
roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
# Setup default language
BABEL_DEFAULT_LOCALE = "en"
# Your application default translation path
BABEL_DEFAULT_FOLDER = "translations"
# The allowed translation for you app
LANGUAGES = {
"en": {"flag": "gb", "name": "English"},
"pt": {"flag": "pt", "name": "Portuguese"},
"pt_BR": {"flag": "br", "name": "Pt Brazil"},
"es": {"flag": "es", "name": "Spanish"},
"de": {"flag": "de", "name": "German"},
"zh": {"flag": "cn", "name": "Chinese"},
"ru": {"flag": "ru", "name": "Russian"},
}
```
### Docker Image customisations
Dockerfile ->
```
FROM apache/airflow:2.2.3-python3.7
USER root
RUN sudo apt-get update \
&& sudo apt-get install -y g++ \
&& sudo apt-get install -y unixodbc-dev \
&& sudo apt-get install -y python3.7-dev \
&& python3.7 -m pip install --upgrade pip
USER airflow
COPY ./.netrc .
COPY requirements.txt ./
RUN pip3 install -r requirements.txt
```
requirements.txt ->
```
SQLAlchemy==1.3.24
pyarrow==5.0.0
snowflake-connector-python==2.5.1
snowflake-sqlalchemy==1.2.5
apache-airflow-providers-snowflake
apache-airflow-providers-databricks
apache-airflow-providers-microsoft-azure
pendulum
Flask-AppBuilder~=3.4.0
Authlib~=0.15.5
```
### What happened
I have created an SPN in Azure and created the FAB_ADMINS App role assigned
to user/groups and applications and still get this error:
Your user has no roles and/or permissions!
Unfortunately your user has no roles, and therefore you cannot use Airflow.
Please contact your Airflow administrator
([authentication](https://airflow.apache.org/docs/apache-airflow/stable/security/webserver.html#web-authentication)
may be misconfigured) or [log out](https://airflow.beertech.com/logout/) to
try again.
airflow-webserver-76b8c4747b-4rpbn
When I attempt to login from incognito browser I get the following error:
```
Python version: 3.7.12
Airflow version: 2.2.3
Node: airflow-webserver-76b8c4747b-4rpbn
-------------------------------------------------------------------------------
Traceback (most recent call last):
File "/home/airflow/.local/lib/python3.7/site-packages/flask/app.py", line
2447, in wsgi_app
response = self.full_dispatch_request()
File "/home/airflow/.local/lib/python3.7/site-packages/flask/app.py", line
1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/airflow/.local/lib/python3.7/site-packages/flask/app.py", line
1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/airflow/.local/lib/python3.7/site-packages/flask/_compat.py",
line 39, in reraise
raise value
File "/home/airflow/.local/lib/python3.7/site-packages/flask/app.py", line
1950, in full_dispatch_request
rv = self.dispatch_request()
File "/home/airflow/.local/lib/python3.7/site-packages/flask/app.py", line
1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File
"/home/airflow/.local/lib/python3.7/site-packages/flask_appbuilder/security/views.py",
line 659, in oauth_authorized
resp =
self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
File
"/home/airflow/.local/lib/python3.7/site-packages/authlib/integrations/flask_client/remote_app.py",
line 76, in authorize_access_token
token = self.fetch_access_token(**params)
File
"/home/airflow/.local/lib/python3.7/site-packages/authlib/integrations/base_client/remote_app.py",
line 112, in fetch_access_token
token = client.fetch_token(token_endpoint, **kwargs)
File
"/home/airflow/.local/lib/python3.7/site-packages/authlib/oauth2/client.py",
line 205, in fetch_token
headers=headers, **session_kwargs
File
"/home/airflow/.local/lib/python3.7/site-packages/authlib/oauth2/client.py",
line 226, in _fetch_token
return self.parse_response_token(resp.json())
File
"/home/airflow/.local/lib/python3.7/site-packages/authlib/oauth2/client.py",
line 380, in parse_response_token
self.handle_error(error, description)
File
"/home/airflow/.local/lib/python3.7/site-packages/authlib/integrations/requests_client/oauth2_session.py",
line 117, in handle_error
raise OAuthError(error_type, error_description)
authlib.integrations.base_client.errors.OAuthError: interaction_required:
AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication
to access '00000002-0000-0000-c000-000000000000'.
Trace ID: 0b12c92e-9bab-4cb6-a1f9-12ed7bbf4a01
Correlation ID: c2de0d11-3a29-4fbe-8ecc-b2b1f719a21f
Timestamp: 2022-05-05 16:49:42Z
```
### What you think should happen instead
I expect to be able to logon with Oauth since I am a member of the
FAB_ADMINS Group
### How to reproduce
helm upgrade --install airflow apache-airflow/airflow -f
./airflow-override-values.yaml -n airflow
### Anything else
_No response_
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
