Re: [D] How to assign Admin/User roles based on email with Google OAuth2? [airflow]

Wed, 05 Nov 2025 00:57:21 -0800 


GitHub user bun-paul-kwon closed a discussion: How to assign Admin/User roles 
based on email with Google OAuth2?

Hello Airflow community,

We are currently using AWS MWAA (Celery Executor) and considering migrating to 
Airflow 3.0.2 on Kubernetes (AWS EKS).

- Image: apache/airflow:3.0.2
- Helm chart: [https://airflow.apache.org airflow 
1.18.0](https://airflow.apache.org/docs/helm-chart/stable/index.html)

We are integrating Google OAuth2 for authentication and authorization. We've 
configured our `webserver_config.py` via the `apiSever.apiServerConfig` in the 
Helm `values.yaml` as follows:
```yaml
apiServer:
    apiServerConfig: |
        from flask_appbuilder.security.manager import AUTH_OAUTH

        AUTH_TYPE = AUTH_OAUTH
        CSRF_ENABLED = True
        AUTH_USER_REGISTRATION = True
        AUTH_USER_REGISTRATION_ROLE = "User"
        AUTH_ROLES_SYNC_AT_LOGIN = False
        OAUTH_PROVIDERS = [
            {
                'name': 'google',
                'token_key': 'access_token',
                'icon': 'fa-google',
                'remote_app': {
                    'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
                    'client_kwargs': {'scope': 'email profile'},
                    'access_token_url': 
'https://accounts.google.com/o/oauth2/token',
                    'authorize_url': 
'https://accounts.google.com/o/oauth2/auth',
                    'request_token_url': None,
                    'client_id': '<MY_CLIENT_ID>',
                    'client_secret': '<MY_CLIENT_SECRET>'
                }
            }
        ]
```

Login with Google accounts is working correctly. However, because 
`AUTH_USER_REGISTRATION_ROLE = "User"`, every new user is automatically mapped 
to the "User" role.

Our goal is to have specific accounts (e.g., `[email protected]`) 
automatically mapped to the **Admin** role upon login, while all others default 
to "User".

We found a workaround by manually updating the `role_id` in the `ab_user_role` 
table in the metadata database for the specific user. This works, but we are 
unsure if this is the best practice for managing Admin accounts.

What is the recommended approach for managing Admin vs. general User roles when 
using OAuth2? Is there a configuration setting or a specific method (perhaps 
custom logic in `webserver_config.py`?) we should be using to assign roles 
based on the user's email address?

Thank you 🙏

GitHub link: https://github.com/apache/airflow/discussions/57527

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]

Reply via email to