You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/07/26 13:06:47 UTC
[GitHub] [superset] nigzak commented on issue #19510: OAuth Login: user details are not synchronized, only the entitlements are synced on login
nigzak commented on issue #19510:
URL: https://github.com/apache/superset/issues/19510#issuecomment-1195459638
found a solution for this: overwrite in custom_sso_security_manager.py required
in addition this code has a modification for add_user (only adding an user if ANY relevant entitlement is available)
in this example code the user must have ANY role which contains "MY_ROLE" (refer matcher variable) to be added
user is known => sync userdetails (+email + username)
user is not known
a) has relevant entitlement => add him
b) has no relevant entitlement => no adding
```
def auth_user_oauth(self, userinfo):
logging.debug('calling auth_user_oauth')
try:
# CLONED ORIGIN FROM https://flask-appbuilder.readthedocs.io/en/latest/_modules/flask_appbuilder/security/manager.html
if "username" in userinfo:
username = userinfo["username"]
elif "email" in userinfo:
username = userinfo["email"]
else:
log.error(
"OAUTH userinfo does not have username or email {0}".format(userinfo)
)
return None
# If username is empty, go away
if (username is None) or username == "":
return None
# Search the DB for this user
user = self.find_user(username=username)
log.debug(user)
# If user is not active, go away
if user and (not user.is_active):
return None
# If user is not registered, and not self-registration, go away
if (not user) and (not self.auth_user_registration):
return None
# Sync the user's roles
if user and self.auth_roles_sync_at_login:
user.roles = self._oauth_calculate_user_roles(userinfo)
log.debug(
"Calculated new roles for user='{0}' as: {1}".format(
username, user.roles
)
)
rolecheck = userinfo.get("role_keys")
matcher = "MY_ROLE"
# If the user is new, register them
if (not user) and self.auth_user_registration:
## MANUAL ADDED: add user only if relevant entitlement_group
if (rolecheck is None):
return # no role
addAllowed = False
for r in rolecheck:
if matcher in r:
addAllowed = True
log.debug("adding allowed because of %s", r)
log.debug(addAllowed)
if (addAllowed):
user = self.add_user(
username=username,
first_name=userinfo.get("first_name", ""),
last_name=userinfo.get("last_name", ""),
email=userinfo.get("email", "") or f"{username}@email.notfound",
role=self._oauth_calculate_user_roles(userinfo),
)
log.debug("New user registered: {0}".format(user))
# If user registration failed, go away
if not user:
log.error("Error creating a new OAuth user {0}".format(username))
return None
else: ## MANUAL ADDED: sync data if already registered
logging.debug("SYNCING USER")
user.first_name = userinfo.get("first_name") ## MANUAL ADDED: sync data
user.last_name = userinfo.get("last_name") ## MANUAL ADDED: sync data
user.email = userinfo.get("email") ## MANUAL ADDED: sync data
# LOGIN SUCCESS (only if user is now registered)
if user:
self.update_user_auth_stat(user)
return user
else:
return None
except ValueError as err:
logging.debug("ERROR CSOM")
logging.debug(err)
logging.debug(err.args)
raise
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org