skuchipu opened a new issue, #32612:
URL: https://github.com/apache/superset/issues/32612
### Bug description
We are trying to have Superset SSO configured with Azure SSO and use Role
mapping to filter Superset roles .
with the below configuration , even though i'm member of Admin Azure Group
, I'm being logged in as Public user , its not honoring the Azure Role mapping
from Groups .
**configuration Below**
import os
import logging
from flask_caching.backends.rediscache import RedisCache
from flask_appbuilder.security.manager import AUTH_OAUTH
from superset.security import SupersetSecurityManager
logger = logging.getLogger("azure_ad")
class CustomSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None):
if provider == 'azure':
# Fetch user information from Azure AD
me = self.appbuilder.sm.oauth_remotes[provider].get('me').json()
logging.info(f"OAuth user info: {me}")
# Example structure of 'me' might include 'groups' or
'groupMembershipClaims'
# Ensure your Azure AD app is configured to return group claims
groups = me.get('groups', [])
# Define a mapping from Azure AD groups to Superset roles
group_role_map = {
'YYYYYYYYYYYYYYYYYYYYYYY': 'Admin',
'XXXXXXXXXXXXXXXXXXXXX': 'Alpha',
# Add more mappings as needed
}
# Determine the Superset role based on Azure AD group membership
user_roles = []
for group in groups:
if group in group_role_map:
user_roles.append(group_role_map[group])
# Return user information including roles
return {
'username': me['userPrincipalName'],
'first_name': me['givenName'],
'last_name': me['surname'],
'email': me['mail'],
'role_keys': user_roles, # Assign roles based on group
membership
}
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
"name": "azure",
"icon": "fa-windows",
"token_key": "access_token",
"remote_app": {
"client_id": "djsfdlksdhfdajkhdsfoifnd",
"client_secret": "klfhdnxcvklncxkfjhdsmlxcvl",
"api_base_url":
"https://login.microsoftonline.com/kfhds;lkfsdnc,mxzznckdjflhdsfn/oauth2";,
"client_kwargs": {"scope": "email profile User.Read openid
groups GroupMember.Read.All"},
"request_token_url": None,
"access_token_url":
"https://login.microsoftonline.com/kfhds;lkfsdnc,mxzznckdjflhdsfn/oauth2/token";,
"authorize_url":
"https://login.microsoftonline.com/kfhds;lkfsdnc,mxzznckdjflhdsfn/oauth2/authorize";,
"jwks_uri":
'https://login.microsoftonline.com/common/discovery/v2.0/keys',
"redirect_url": 'https://dashboard.net/oauth-authorized/azure'
}
}
]
CUSTOM_SECURITY_MANAGER = SupersetSecurityManager
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_ROLES_SYNC_AT_LOGIN = True
ENABLE_PROXY_FIX = True
AUTH_ROLES_MAPPING ={
"YYYYYYYYYYYYYYYYYYYYY": ["Admin"],
"XXXXXXXXXXXXXXXXXXXX": ["Alpha"]
}
SUPERSET_WEBSERVER_PROTOCOL = "https"
SUPERSET_WEBSERVER_HOST = "[dashboard.net]"
# featureFlags
FEATURE_FLAGS = {
"ALERT_REPORTS": True,
"OMNIBAR": True,
"DASHBOARD_NATIVE_FILTERS": True,
"ROW_LEVEL_SECURITY": True,
"DASHBOARD_RBAC": True,
}
# secret
SECRET_KEY = "sklhsdfkl;dhjpoiurjelkdfhnsdlk;fsdjfds"
### Screenshots/recordings
_No response_
### Superset version
4.1.1
### Python version
3.9
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
