azeemkhanmohammed opened a new issue, #35896:
URL: https://github.com/apache/airflow/issues/35896

   ### Apache Airflow version
   
   2.7.3
   
   ### What happened
   
   I am deploying Airflow helm chart on EKS through this link 
https://airflow.apache.org/docs/helm-chart/stable/index.html and i am also 
trying to configure sso with github enterprise , provided the 
webserverConfig.py below . However , the issue i am facing with this config is 
the roles are not getting mapped as per the users in the github teams and every 
user is getting the default registration role
   
   ### What you think should happen instead
   
   Airflow should have mapped the role correctly by checking whether user exist 
in the team and assign the role accordingly.
   
   ### How to reproduce
   
   You can reproduce by deploying official helm chart and by adding the below 
configuration under webserverConfig section of helm chart.
   
   ### Operating System
   
   EKS
   
   ### Versions of Apache Airflow Providers
   
   _No response_
   
   ### Deployment
   
   Official Apache Airflow Helm Chart
   
   ### Deployment details
   
   ```
    webserverConfig: |
       from airflow.www.security import AirflowSecurityManager
       from flask_appbuilder.security.manager import AUTH_OAUTH
       from typing import List,Any,Dict,Union
       import os
       import logging
       
       log = logging.getLogger(__name__)
       log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO"))
       FAB_ADMIN_ROLE = "Admin"
       FAB_VIEWER_ROLE = "Viewer"
       FAB_PUBLIC_ROLE = "Public"  
       TEAM_ID_A_FROM_GITHUB = 9*****  
       TEAM_ID_B_FROM_GITHUB = 8***** 
   
       def team_parser(team_payload: Dict[str, Any]) -> List[int]:
           return [team["id"] for team in team_payload]
   
   
       def map_roles(team_list: List[int]) -> List[str]:
   
           team_role_map = {
               TEAM_ID_A_FROM_GITHUB: FAB_ADMIN_ROLE,
               TEAM_ID_B_FROM_GITHUB: FAB_VIEWER_ROLE,
           }
           return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in 
team_list))
   
       class GithubTeamAuthorizer(AirflowSecurityManager):
   
           def get_oauth_user_info(self, provider: str, resp: Any) -> Dict[str, 
Union[str, List[str]]]:
   
               remote_app = self.appbuilder.sm.oauth_remotes[provider]
               me = remote_app.get("user")
               user_data = me.json()
               team_data = remote_app.get("user/teams")
               teams = team_parser(team_data.json())
               roles = map_roles(teams)
               log.info(f"User info from Github: {user_data}\nTeam info from 
Github: {teams}\nRoles are: {roles}")
               return {"username": "github_" + user_data.get("login"), 
"role_keys": roles}
               
       SECURITY_MANAGER_CLASS = GithubTeamAuthorizer
   
       AUTH_TYPE = AUTH_OAUTH
       AUTH_ROLES_SYNC_AT_LOGIN = True
       AUTH_USER_REGISTRATION = True 
       AUTH_USER_REGISTRATION_ROLE = "Admin"
   
       OAUTH_PROVIDERS = [
           {
               "name": "github",
               "icon": "fa-github",
               "token_key": "access_token",
               "remote_app": {
                   "client_id": "0***********",
                   "client_secret": "******************",
                   "api_base_url": "https://api.github.com";,
                   "client_kwargs": {"scope": "read:user, read:org"},
                   "access_token_url": 
"https://github.com/login/oauth/access_token";,
                   "authorize_url": "https://github.com/login/oauth/authorize";,
                   "request_token_url": None,
               },
           },
       ]
   ```
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to