You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Andrew Stahlman (JIRA)" <ji...@apache.org> on 2019/01/20 01:55:00 UTC
[jira] [Commented] (AIRFLOW-2321) RBAC support from new UI's
failing on OAuth authentication method
[ https://issues.apache.org/jira/browse/AIRFLOW-2321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16747315#comment-16747315 ]
Andrew Stahlman commented on AIRFLOW-2321:
------------------------------------------
[~joygao] thanks for posting that workaround - it saved me after an hour of banging my head against the wall. Do you know of a good place to document this? Maybe [here|https://github.com/apache/airflow/blob/master/UPDATING.md#creating-an-admin-account]?
Here's the behavior I was seeing, in case anyone else runs into the same issue:
* {{ab_user}} table has a single admin user which was created via {{airflow users --create}}
* {{AUTH_TYPE = AUTH_OAUTH}} in {{webserver_config.py}} using Google as the provider
* Visit /home, which redirects to /login
* Sign-in with google, which produces the following redirect loop:
** /login/google
** [https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=]<CLIENT-ID>&redirect_uri=<LOCAL-ENDPOINT>%2Foauth-authorized%2Fgoogle&scope=email+profile
** /oauth-authorized/google?code=<TOKEN>&scope=email+profile+[https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile]
** login
** login/
I *think* this is because my user-id that Google posted to {{/oauth-authorized/google}} doesn't exist in the {{ab_users}} table. Hence the workaround of allow users to self-register, which puts that user-id in the {{ab_users}} table. Sound right?
> RBAC support from new UI's failing on OAuth authentication method
> -----------------------------------------------------------------
>
> Key: AIRFLOW-2321
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2321
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Reporter: Guillermo Rodríguez Cano
> Priority: Major
>
> I tried configuring the RBAC support for the new webserver UI as provided thanks to this [PR|https://github.com/apache/incubator-airflow/pull/3015] (solving AIRFLOW-1433 and AIRFLOW-85 issues) but I have encountered issues with OAuth as authentication method with Google as provider.
> I have no issues configuring the authentication details as pointed in the UPDATING document, but when I test a fresh installation I manage to get to the Google authentication webpage and on returning to Airflow's site I get the message: 'Invalid login. Please try again.' which I have traced it down to coming from [here|https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/views.py#L549].
> And as pointed it seems the user variable is None.
> I have tried to login using the standard DB authentication method without no problems. The same issue happens even when I tried registering a new user, or with that user registered via the DB authentication and then switching to OAUTH authentication method.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)