vincbeck opened a new issue, #34107: URL: https://github.com/apache/airflow/issues/34107
### Discussed in https://github.com/apache/airflow/discussions/33913 <div type='discussions-op-text'> <sup>Originally posted by **allekai** August 30, 2023</sup> Hi everyone, we have Airflow deployed via the official helm chart (Version 1.10.0) in our OpenShift Namespace and tried to upgrade the Airflow version to 2.7.0, but with this, our authentication seems to break. Prior to the upgrade we used 2.6.3. In the values.yaml we defined a webserver config like so (I mainly used the [documentation](https://airflow.apache.org/docs/apache-airflow/2.7.0/security/webserver.html) as reference, but made some minor adjustments for our setup): ``` airflow: webserver: webserverConfig: | from flask_appbuilder.security.manager import AUTH_OAUTH import os import json client_id = os.environ["client_id"] client_secret = os.environ["token"] api_base_url = os.environ["api_base_url"] redirect_uri = os.environ["redirect_uri"] access_token_url = os.environ["access_token_url"] authorize_url = os.environ["authorize_url"]# from airflow.www.security import AirflowSecurityManager import logging from typing import Any, List, Union log = logging.getLogger(__name__) log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO")) class OpenShiftOAuthAuthorizer(AirflowSecurityManager): def get_oauth_user_info(self, provider: str, resp: Any) -> dict[str, Union[str, list[str]]]: if provider == "openshift": me = self.oauth_remotes[provider].get("apis/user.openshift.io/v1/users/~") data = me.json() log.info(data) return { "username": data["metadata"]["name"], "role_keys": data["groups"], "first_name": data["fullName"] } AUTH_TYPE = AUTH_OAUTH AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login AUTH_USER_REGISTRATION = True # allow users who are not already in the FAB DB to register # Make sure to replace this with the path to your security manager class FAB_SECURITY_MANAGER_CLASS = "webserver_config.OpenShiftOAuthAuthorizer" with open('/mnt/rolesconfig/roles.json') as roleFile: AUTH_ROLES_MAPPING = json.load(roleFile) print(f"Following Roles were defined via Rolemapping: {AUTH_ROLES_MAPPING}") # If you wish, you can add multiple OAuth providers. OAUTH_PROVIDERS = [ { "name": "openshift", "icon": "fa-circle-o", "token_key": "access_token", "remote_app": { "client_id": client_id, "client_secret": client_secret, "api_base_url": api_base_url, "client_kwargs": {"scope": "user:info"}, "redirect_uri": redirect_uri, "access_token_url": access_token_url, "authorize_url": authorize_url, "token_endpoint_auth_method": "client_secret_post", }, }, ] ``` With Airflow 2.6.3 this authentication logic works fine, however with Airflow 2.7.0 after authenticating with OpenShfit we get an Airflow page saying that the user has no roles / permission. Furthermore, the `log.info(data)` statement is either never called or the logging does not make it to the console. The `print(f"Following Roles were defined via Rolemapping: {AUTH_ROLES_MAPPING}")` statement however is printed to stdout as expected. When we run `airflow users list` in the webserver pod, we see an entry for the user who tried to login, however we only have the email adress - the username, roles oder fullname are not written to the DB. After digging around in the code base I found that with 2.7.0 we have the [FabAirflowSecurityManagerOverride](https://github.com/apache/airflow/blob/2.7.0/airflow/auth/managers/fab/security_manager/override.py#L44) and with more recent commits we also have [FabAirflowSecurityManagerOverrideOauth](https://github.com/apache/airflow/blob/main/airflow/auth/managers/fab/security_manager/modules/oauth.py#L30) specific to OAuth. The current documentation (see link above) does not mention these override classes. Do we need to change the class from which we inherit? </div> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
