[ 
https://issues.apache.org/jira/browse/AIRFLOW-2321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437789#comment-16437789
 ] 

Joy Gao edited comment on AIRFLOW-2321 at 4/13/18 7:31 PM:
-----------------------------------------------------------

I replicated this issue you described above.

The work-around is:

(1) Clear the ab_user table 

(2) Set the following config in webserver_config.py
{code:java}
AUTH_USER_REGISTRATION = True  # Will allow user self registration
AUTH_USER_REGISTRATION_ROLE = "Admin"  # The default user self registration 
role{code}
 

(3) Register the admin user via the UI (do not use the `create_user` command)

(4) Change
{code:java}
AUTH_USER_REGISTRATION = False{code}
to prevent others from registering, or set 
{code:java}
AUTH_USER_REGISTRATION_ROLE == "Viewer"  # or User/Op{code}
to allow view-only self-registration. 

 

The reason that this 'Invalid login. Please try again.' error appeared is 
because the username is incorrect. Flask-Appbuilder generates its own username 
during OAuth flow (For example, for Google OAuth, it would take "id" of the 
user in the OAuth response, and prefix it with 'google_', so it would look 
something like `google_<user_id>)

In the case where a user is created manually via `create_user` command, I'd 
assume this username is different, so it fails to authenticate.

I don't have a good sense of how to retrieve this id other than through oauth 
at this moment, so self-registration is the best flow.


was (Author: joygao):
I replicated this issue you described above.

The work-around is:

(1) Clear the ab_user table 

(2) Set the following config in webserver_config.py
{code:java}
AUTH_USER_REGISTRATION = True  # Will allow user self registration
AUTH_USER_REGISTRATION_ROLE = "Admin"  # The default user self registration 
role{code}
 

(3) Register the admin user via the UI (do not use the `create_admin` command)

(4) Change
{code:java}
AUTH_USER_REGISTRATION = False{code}
to prevent others from registering, or set 
{code:java}
AUTH_USER_REGISTRATION_ROLE == "Viewer"  # or User/Op{code}
to allow view-only self-registration. 

 

The reason that this 'Invalid login. Please try again.' error appeared is 
because the username is incorrect. Flask-Appbuilder generates its own username 
during OAuth flow (For example, for Google OAuth, it would take "id" of the 
user in the OAuth response, and prefix it with 'google_', so it would look 
something like `google_<user_id>)

In the case where a user is created manually via `create_user` command, I'd 
assume this username is different, so it fails to authenticate.

I don't have a good sense of how to retrieve this id other than through oauth 
at this moment, so self-registration is the best flow.

> RBAC support from new UI's failing on OAuth authentication method
> -----------------------------------------------------------------
>
>                 Key: AIRFLOW-2321
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2321
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>            Reporter: Guillermo Rodríguez Cano
>            Priority: Major
>
> I tried configuring the RBAC support for the new webserver UI as provided 
> thanks to this [PR|https://github.com/apache/incubator-airflow/pull/3015] 
> (solving AIRFLOW-1433 and AIRFLOW-85 issues) but I have encountered issues 
> with OAuth as authentication method with Google as provider.
> I have no issues configuring the authentication details as pointed in the 
> UPDATING document, but when I test a fresh installation I manage to get to 
> the Google authentication webpage and on returning to Airflow's site I get 
> the message: 'Invalid login. Please try again.' which I have traced it down 
> to coming from 
> [here|https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/views.py#L549].
> And as pointed it seems the user variable is None.
> I have tried to login using the standard DB authentication method without no 
> problems. The same issue happens even when I tried registering a new user, or 
> with that user registered via the DB authentication and then switching to 
> OAUTH authentication method.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to