You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/03/31 15:58:25 UTC
[GitHub] [airflow] sergiocorona opened a new issue #22655: Github OAuth issue Error authorizing OAuth access token
sergiocorona opened a new issue #22655:
URL: https://github.com/apache/airflow/issues/22655
### Apache Airflow version
2.2.4 (latest released)
### What happened
I am currently on version 2.1.2, I am using the Github OAuth feature to grant access to my webserver and everything is working fine, When I Upgraded to version 2.2.4 I started getting the next error:
[2022-03-31 15:24:20,511] {views.py:666} ERROR - Error authorizing OAuth access token: maximum recursion depth exceeded while calling a Python object
And from the GUI, this message is displayed: The request to sign in was denied.
### What you think should happen instead
I should be redirected to the DAG home page on airflow
I was following the next documentation: https://airflow.apache.org/docs/apache-airflow/stable/security/webserver.html?highlight=webserver
### How to reproduce
_No response_
### Operating System
NAME="Alpine Linux" ID=alpine VERSION_ID=3.14.5 PRETTY_NAME="Alpine Linux v3.14" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"
### Versions of Apache Airflow Providers
apache-airflow-providers-amazon==3.0.0
apache-airflow-providers-celery==2.1.0
apache-airflow-providers-cncf-kubernetes==3.0.2
apache-airflow-providers-databricks==2.2.0
apache-airflow-providers-ftp==2.0.1
apache-airflow-providers-http==2.0.3
apache-airflow-providers-imap==2.2.0
apache-airflow-providers-microsoft-mssql==2.1.0
apache-airflow-providers-postgres==3.0.0
apache-airflow-providers-redis==2.0.1
apache-airflow-providers-sftp==2.4.1
apache-airflow-providers-sqlite==2.1.0
apache-airflow-providers-ssh==2.4.0
### Deployment
Virtualenv installation
### Deployment details
This is the webserver_config.py file that I am using
import os
from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.www.security import AirflowSecurityManager
import logging
from typing import Dict, Any, List, Union
log = logging.getLogger(__name__)
log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO"))
DWNAM_ORG_ID = 111
DEVOPS_TEAM_ID = 222
DEVS_TEAM_ID = 333
OPS_TEAM_ID = 444
FAB_PUBLIC_ROLE = "Public"
GIT_URL = 'https://github.[company].com/api/v3/'
AUTH_TYPE = AUTH_OAUTH
# Replace users database roles each login with those received from OAUTH/LDAP
AUTH_ROLES_SYNC_AT_LOGIN = True
AUTH_USER_REGISTRATION = (
True # allow users who are not already in the FAB DB to register
)
# A mapping from LDAP/OAUTH group names to FAB roles
AUTH_ROLES_MAPPING = {
# Github Enterprise Group to Airflow Role Mapping
'devops': ['Admin'],
'ops': ['Op'],
'devs': ['User'],
}
OAUTH_PROVIDERS = [
{
'name': 'github',
'token_key': 'access_token',
'icon': 'fa-github',
'remote_app': {
'api_base_url': 'https://github.[company].com/api/v3/users',
'client_kwargs': {"scope": "read:user, read:org"},
'access_token_url': 'https://github.[company].com/login/oauth/access_token',
'authorize_url': 'https://github.[company].com/login/oauth/authorize',
'request_token_url': None,
'client_id': os.environ['CLIENT_ID'],
'client_secret': os.environ['CLIENT_SECRET'],
},
}
]
def team_parser(team_payload: Dict[str, Any]) -> List[int]:
# Parse the team payload from Github however you want here.
return [team["id"] for team in team_payload]
def map_roles(team_list: List[int]) -> List[str]:
# Associate the team IDs with Roles here.
# The expected output is a list of roles that FAB will use to Authorize the user.
team_role_map = {
DEVOPS_TEAM_ID: "Admin",
DEVS_TEAM_ID: "User",
OPS_TEAM_ID: "Op",
}
return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in team_list))
class GithubTeamAuthorizer(AirflowSecurityManager):
# In this example, the oauth provider == 'github'.
# If you ever want to support other providers, see how it is done here:
# https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550
def get_oauth_user_info(
self, provider: str, resp: Any
) -> Dict[str, Union[str, List[str]]]:
# Creates the user info payload from Github.
# The user previously allowed your app to act on thier behalf,
# so now we can query the user and teams endpoints for their data.
# Username and team membership are added to the payload and returned to FAB.
remote_app = self.appbuilder.sm.oauth_remotes[provider]
me = remote_app.get("user")
user_data = me.json()
team_data = remote_app.get("user/teams")
teams = team_parser(team_data.json())
roles = map_roles(teams)
log.debug(
f"User info from Github: {user_data}\n" f"Team info from Github: {teams}"
)
return {"username": "github_" + user_data.get("login"), "role_keys": roles}
SECURITY_MANAGER_CLASS = GithubTeamAuthorizer
### Anything else
This issue is always happening to me on version 2.2.4
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #22655: Github OAuth issue Error authorizing OAuth access token
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #22655:
URL: https://github.com/apache/airflow/issues/22655#issuecomment-1084782610
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #22655: Github OAuth issue Error authorizing OAuth access token
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #22655:
URL: https://github.com/apache/airflow/issues/22655#issuecomment-1084940142
I believe you need to review the Flask App Builder configuraiton https://flask-appbuilder.readthedocs.io/en/latest/security.html?highlight=oauth#authentication-oauth and I believe it has something to do with not defined access for default role when the user is created.
I convert it do discussion as this is more of a FAB configuraiton issue than Airflow - and you can open an issue to FAB if you are unclear how to fix it. https://github.com/dpgaspar/Flask-AppBuilder
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org