You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/02/19 18:28:31 UTC
[GitHub] dukemike opened a new issue #6915: OAuth2: Access is Denied for:
can_csrf_token on: Superset
dukemike opened a new issue #6915: OAuth2: Access is Denied for: can_csrf_token on: Superset
URL: https://github.com/apache/incubator-superset/issues/6915
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
Make sure these boxes are checked before submitting your issue - thank you!
- [X] I have checked the superset logs for python stacktraces and included it here as text if there are any.
- [X] I have reproduced the issue with at least the latest released version of superset.
- [X] I have checked the issue tracker for the same issue and I haven't found one similar.
### Superset version
0.28.1
### Expected results
User able to authenticate using OAuth2 credentials.
### Actual results
User receives 'You are not authorized' message.
### Steps to reproduce
Using [Superset install with Docker](https://superset.incubator.apache.org/installation.html#start-with-docker), configure `superset_config.py` as described in [Custom OAuth2 configuration](https://superset.incubator.apache.org/installation.html#custom-oauth2-configuration). For example,
```
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import os
def get_env_variable(var_name, default=None):
"""Get the environment variable or raise exception."""
try:
return os.environ[var_name]
except KeyError:
if default is not None:
return default
else:
error_msg = 'The environment variable {} was missing, abort...'\
.format(var_name)
raise EnvironmentError(error_msg)
POSTGRES_USER = get_env_variable('POSTGRES_USER')
POSTGRES_PASSWORD = get_env_variable('POSTGRES_PASSWORD')
POSTGRES_HOST = get_env_variable('POSTGRES_HOST')
POSTGRES_PORT = get_env_variable('POSTGRES_PORT')
POSTGRES_DB = get_env_variable('POSTGRES_DB')
# The SQLAlchemy connection string.
SQLALCHEMY_DATABASE_URI = 'postgresql://%s:%s@%s:%s/%s' % (POSTGRES_USER,
POSTGRES_PASSWORD,
POSTGRES_HOST,
POSTGRES_PORT,
POSTGRES_DB)
REDIS_HOST = get_env_variable('REDIS_HOST')
REDIS_PORT = get_env_variable('REDIS_PORT')
class CeleryConfig(object):
BROKER_URL = 'redis://%s:%s/0' % (REDIS_HOST, REDIS_PORT)
CELERY_IMPORTS = ('superset.sql_lab', )
CELERY_RESULT_BACKEND = 'redis://%s:%s/1' % (REDIS_HOST, REDIS_PORT)
CELERY_ANNOTATIONS = {'tasks.add': {'rate_limit': '10/s'}}
CELERY_TASK_PROTOCOL = 1
CELERY_CONFIG = CeleryConfig
# local configurations
LOG_LEVEL = 'DEBUG'
SILENCE_FAB = False
ENABLE_CORS = True
HTTP_HEADERS = { }
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = False # This is bad, but I've tried turning it off to no avail
# Add endpoints that need to be exempt from CSRF protection
WTF_CSRF_EXEMPT_LIST = ['login', 'superset.csrf_token',]
# A CSRF token that expires in 1 year
WTF_CSRF_TIME_LIMIT = 60 * 60 * 24 * 365
from flask_appbuilder.security.manager import AUTH_OAUTH
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_ROLE_PUBLIC = 'Public'
AUTH_USER_REGISTRATION_ROLE = 'Public'
OAUTH_PROVIDERS = [
{
DEFINE PROVIDER HERE
}
]
import logging
from superset.security import SupersetSecurityManager
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None):
logging.debug("getting user info for Oauth2 provider: {0}.".format(provider))
if provider == 'mitreid':
me = self.appbuilder.sm.oauth_remotes[provider].get('userinfo').data
logging.debug("user_data: {0}".format(me))
if me:
return {
'email' : me.get('email'),
'first_name': me.get('given_name'),
'last_name': me.get('family_name')
}
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
```
When attempting to register, the logs yield:
```
superset_1 | 2019-02-19 18:12:35,681:DEBUG:flask_appbuilder.security.views:Provider: mitreid
superset_1 | 2019-02-19 18:12:35,682:DEBUG:flask_appbuilder.security.views:Going to call authorize for: mitreid
superset_1 | 2019-02-19 18:12:35,682:DEBUG:flask_appbuilder.security.views:Login to Register
superset_1 | 172.22.0.1 - - [19/Feb/2019 18:12:35] "GET /login/mitreid/register HTTP/1.1" 302 -
superset_1 | 2019-02-19 18:12:35,684:INFO:werkzeug:172.22.0.1 - - [19/Feb/2019 18:12:35] "GET /login/mitreid/register HTTP/1.1" 302 -
superset_1 | 127.0.0.1 - - [19/Feb/2019 18:12:39] "GET /health HTTP/1.1" 200 -
superset_1 | 2019-02-19 18:12:39,961:INFO:werkzeug:127.0.0.1 - - [19/Feb/2019 18:12:39] "GET /health HTTP/1.1" 200 -
superset_1 | 2019-02-19 18:12:45,428:DEBUG:flask_appbuilder.security.views:Authorized init
superset_1 | 2019-02-19 18:12:45,429:DEBUG:flask_oauthlib:Prepare oauth2 remote args {'code': 'SNIP', 'client_secret': 'SNIP', 'redirect_uri': 'http://localhost:8088/oauth-authorized/mitreid'}
superset_1 | 2019-02-19 18:12:45,431:DEBUG:flask_oauthlib:Request 'https://oauth.mitreid.mydomain/oidc/token' with 'POST' method
superset_1 | 2019-02-19 18:12:45,864:DEBUG:flask_appbuilder.security.views:OAUTH Authorized resp: {'access_token': 'SNIP', 'token_type': 'Bearer', 'expires_in': 3599, 'scope': 'openid email profile', 'id_token': 'SNIP'}
superset_1 | 2019-02-19 18:12:45,864:DEBUG:root:getting user info for Oauth2 provider: mitreid.
superset_1 | 2019-02-19 18:12:45,864:DEBUG:flask_appbuilder.security.manager:Token Get: ('SNIP', '')
superset_1 | 2019-02-19 18:12:45,865:DEBUG:flask_oauthlib:Request 'https://oauth.mitreid.mydomain/oidc/userinfo' with 'GET' method
superset_1 | 2019-02-19 18:12:46,134:DEBUG:root:user_data: { SNIP }
superset_1 | 2019-02-19 18:12:46,134:DEBUG:flask_appbuilder.security.views:User info retrieved from mitreid: {'email': 'SNIP', 'first_name': 'SNIP', 'last_name': 'SNIP'}
superset_1 | 172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /oauth-authorized/mitreid?code=SNIP HTTP/1.1" 302 -
superset_1 | 2019-02-19 18:12:46,138:INFO:werkzeug:172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /oauth-authorized/mitreid?code=SNIP HTTP/1.1" 302 -
superset_1 | 172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /login HTTP/1.1" 301 -
superset_1 | 2019-02-19 18:12:46,150:INFO:werkzeug:172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /login HTTP/1.1" 301 -
superset_1 | 2019-02-19 18:12:46,158:DEBUG:flask_appbuilder.security.views:Provider: None
superset_1 | 172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /login/ HTTP/1.1" 200 -
superset_1 | 2019-02-19 18:12:46,201:INFO:werkzeug:172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /login/ HTTP/1.1" 200 -
superset_1 | 2019-02-19 18:12:46,385:WARNING:flask_appbuilder.security.decorators:Access is Denied for: can_csrf_token on: Superset
superset_1 | 172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /superset/csrf_token/ HTTP/1.1" 401 -
superset_1 | 2019-02-19 18:12:46,402:INFO:werkzeug:172.22.0.1 - - [19/Feb/2019 18:12:46] "GET /superset/csrf_token/ HTTP/1.1" 401 -
```
Any ideas?
Thanks -- Mike
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org