azeemkhanmohammed opened a new issue, #35896: URL: https://github.com/apache/airflow/issues/35896
### Apache Airflow version 2.7.3 ### What happened I am deploying Airflow helm chart on EKS through this link https://airflow.apache.org/docs/helm-chart/stable/index.html and i am also trying to configure sso with github enterprise , provided the webserverConfig.py below . However , the issue i am facing with this config is the roles are not getting mapped as per the users in the github teams and every user is getting the default registration role ### What you think should happen instead Airflow should have mapped the role correctly by checking whether user exist in the team and assign the role accordingly. ### How to reproduce You can reproduce by deploying official helm chart and by adding the below configuration under webserverConfig section of helm chart. ### Operating System EKS ### Versions of Apache Airflow Providers _No response_ ### Deployment Official Apache Airflow Helm Chart ### Deployment details ``` webserverConfig: | from airflow.www.security import AirflowSecurityManager from flask_appbuilder.security.manager import AUTH_OAUTH from typing import List,Any,Dict,Union import os import logging log = logging.getLogger(__name__) log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO")) FAB_ADMIN_ROLE = "Admin" FAB_VIEWER_ROLE = "Viewer" FAB_PUBLIC_ROLE = "Public" TEAM_ID_A_FROM_GITHUB = 9***** TEAM_ID_B_FROM_GITHUB = 8***** def team_parser(team_payload: Dict[str, Any]) -> List[int]: return [team["id"] for team in team_payload] def map_roles(team_list: List[int]) -> List[str]: team_role_map = { TEAM_ID_A_FROM_GITHUB: FAB_ADMIN_ROLE, TEAM_ID_B_FROM_GITHUB: FAB_VIEWER_ROLE, } return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in team_list)) class GithubTeamAuthorizer(AirflowSecurityManager): def get_oauth_user_info(self, provider: str, resp: Any) -> Dict[str, Union[str, List[str]]]: remote_app = self.appbuilder.sm.oauth_remotes[provider] me = remote_app.get("user") user_data = me.json() team_data = remote_app.get("user/teams") teams = team_parser(team_data.json()) roles = map_roles(teams) log.info(f"User info from Github: {user_data}\nTeam info from Github: {teams}\nRoles are: {roles}") return {"username": "github_" + user_data.get("login"), "role_keys": roles} SECURITY_MANAGER_CLASS = GithubTeamAuthorizer AUTH_TYPE = AUTH_OAUTH AUTH_ROLES_SYNC_AT_LOGIN = True AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = "Admin" OAUTH_PROVIDERS = [ { "name": "github", "icon": "fa-github", "token_key": "access_token", "remote_app": { "client_id": "0***********", "client_secret": "******************", "api_base_url": "https://api.github.com";, "client_kwargs": {"scope": "read:user, read:org"}, "access_token_url": "https://github.com/login/oauth/access_token";, "authorize_url": "https://github.com/login/oauth/authorize";, "request_token_url": None, }, }, ] ``` ### Anything else _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
