[
https://issues.apache.org/jira/browse/AIRFLOW-2321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437789#comment-16437789
]
Joy Gao edited comment on AIRFLOW-2321 at 4/13/18 7:31 PM:
-----------------------------------------------------------
I replicated this issue you described above.
The work-around is:
(1) Clear the ab_user table
(2) Set the following config in webserver_config.py
{code:java}
AUTH_USER_REGISTRATION = True # Will allow user self registration
AUTH_USER_REGISTRATION_ROLE = "Admin" # The default user self registration
role{code}
(3) Register the admin user via the UI (do not use the `create_user` command)
(4) Change
{code:java}
AUTH_USER_REGISTRATION = False{code}
to prevent others from registering, or set
{code:java}
AUTH_USER_REGISTRATION_ROLE == "Viewer" # or User/Op{code}
to allow view-only self-registration.
The reason that this 'Invalid login. Please try again.' error appeared is
because the username is incorrect. Flask-Appbuilder generates its own username
during OAuth flow (For example, for Google OAuth, it would take "id" of the
user in the OAuth response, and prefix it with 'google_', so it would look
something like `google_<user_id>)
In the case where a user is created manually via `create_user` command, I'd
assume this username is different, so it fails to authenticate.
I don't have a good sense of how to retrieve this id other than through oauth
at this moment, so self-registration is the best flow.
was (Author: joygao):
I replicated this issue you described above.
The work-around is:
(1) Clear the ab_user table
(2) Set the following config in webserver_config.py
{code:java}
AUTH_USER_REGISTRATION = True # Will allow user self registration
AUTH_USER_REGISTRATION_ROLE = "Admin" # The default user self registration
role{code}
(3) Register the admin user via the UI (do not use the `create_admin` command)
(4) Change
{code:java}
AUTH_USER_REGISTRATION = False{code}
to prevent others from registering, or set
{code:java}
AUTH_USER_REGISTRATION_ROLE == "Viewer" # or User/Op{code}
to allow view-only self-registration.
The reason that this 'Invalid login. Please try again.' error appeared is
because the username is incorrect. Flask-Appbuilder generates its own username
during OAuth flow (For example, for Google OAuth, it would take "id" of the
user in the OAuth response, and prefix it with 'google_', so it would look
something like `google_<user_id>)
In the case where a user is created manually via `create_user` command, I'd
assume this username is different, so it fails to authenticate.
I don't have a good sense of how to retrieve this id other than through oauth
at this moment, so self-registration is the best flow.
> RBAC support from new UI's failing on OAuth authentication method
> -----------------------------------------------------------------
>
> Key: AIRFLOW-2321
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2321
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Reporter: Guillermo Rodríguez Cano
> Priority: Major
>
> I tried configuring the RBAC support for the new webserver UI as provided
> thanks to this [PR|https://github.com/apache/incubator-airflow/pull/3015]
> (solving AIRFLOW-1433 and AIRFLOW-85 issues) but I have encountered issues
> with OAuth as authentication method with Google as provider.
> I have no issues configuring the authentication details as pointed in the
> UPDATING document, but when I test a fresh installation I manage to get to
> the Google authentication webpage and on returning to Airflow's site I get
> the message: 'Invalid login. Please try again.' which I have traced it down
> to coming from
> [here|https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/views.py#L549].
> And as pointed it seems the user variable is None.
> I have tried to login using the standard DB authentication method without no
> problems. The same issue happens even when I tried registering a new user, or
> with that user registered via the DB authentication and then switching to
> OAUTH authentication method.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)