You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/11/04 02:49:34 UTC
[GitHub] [airflow] pindge opened a new issue #19399: admin role no access to create user via UI
pindge opened a new issue #19399:
URL: https://github.com/apache/airflow/issues/19399
### Apache Airflow version
2.1.3
### Operating System
AWS K8s
### Versions of Apache Airflow Providers
```
airflow@airflow-worker-0:/opt/airflow$ pip freeze | grep apache-airflow-
apache-airflow-providers-amazon==2.1.0
apache-airflow-providers-celery==2.0.0
apache-airflow-providers-cncf-kubernetes==2.0.2
apache-airflow-providers-docker==2.1.0
apache-airflow-providers-elasticsearch==2.0.2
apache-airflow-providers-ftp==2.0.0
apache-airflow-providers-google==5.0.0
apache-airflow-providers-grpc==2.0.0
apache-airflow-providers-hashicorp==2.0.0
apache-airflow-providers-http==2.0.0
apache-airflow-providers-imap==2.0.0
apache-airflow-providers-microsoft-azure==3.1.0
apache-airflow-providers-mysql==2.1.0
apache-airflow-providers-postgres==2.0.0
apache-airflow-providers-redis==2.0.0
apache-airflow-providers-sendgrid==2.0.0
apache-airflow-providers-sftp==2.1.0
apache-airflow-providers-slack==4.0.0
apache-airflow-providers-sqlite==2.0.0
apache-airflow-providers-ssh==2.1.0
```
### Deployment
Other 3rd-party Helm chart
### Deployment details
we have standard deployment on k8s and we have webconfig
```
webserverConfig:
stringOverride: |
"""Default configuration for the Airflow webserver"""
import logging
import os
import json
from airflow.configuration import conf
from airflow.www.security import AirflowSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH
log = logging.getLogger(__name__)
basedir = os.path.abspath(os.path.dirname(__file__))
# The SQLAlchemy connection string.
SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
CSRF_ENABLED = True
# ----------------------------------------------------
# AUTHENTICATION CONFIG
# ----------------------------------------------------
# For details on how to set up each of the following authentication, see
# http://flask-appbuilder.readthedocs.io/en/latest/security.html# authentication-methods
# for details.
# The authentication type
AUTH_TYPE = AUTH_OAUTH
# SECRET_KEY = os.environ.get("FLASK_SECRET_KEY")
# Uncomment to setup Full admin role name
# AUTH_ROLE_ADMIN = 'Admin'
# Uncomment to setup Public role name, no authentication needed
# AUTH_ROLE_PUBLIC = 'Public'
# Will allow user self registration
# AUTH_USER_REGISTRATION = True
# The default user self registration role
# AUTH_USER_REGISTRATION_ROLE = "Public"
OAUTH_PROVIDERS = [{
'name': 'aws_cognito',
# 'whitelist': ['@ga.gov.au'], # optional
'token_key': 'access_token',
'icon': 'fa-amazon',
'remote_app': {
'api_base_url': os.environ.get("OAUTH2_BASE_URL") + "/",
'client_kwargs': {
'scope': 'openid email aws.cognito.signin.user.admin'
},
'authorize_url': os.environ.get("OAUTH2_BASE_URL") + "/authorize",
'access_token_url': os.environ.get("OAUTH2_BASE_URL") + "/token",
'request_token_url': None,
'client_id': os.environ.get("COGNITO_CLIENT_ID"),
'client_secret': os.environ.get("COGNITO_CLIENT_SECRET"),
}
}]
class CognitoAirflowSecurityManager(AirflowSecurityManager):
def oauth_user_info(self, provider, resp):
# log.info("Requesting user info from AWS Cognito: {0}".format(resp))
assert provider == "aws_cognito"
# log.info("Requesting user info from AWS Cognito: {0}".format(resp))
me = self.appbuilder.sm.oauth_remotes[provider].get("userInfo")
return {
"username": me.json().get("username"),
"email": me.json().get("email"),
"first_name": me.json().get("given_name", ""),
"last_name": me.json().get("family_name", ""),
"id": me.json().get("sub", ""),
}
SECURITY_MANAGER_CLASS = CognitoAirflowSecurityManager
###################################
```
### What happened
We are using `CustomUserOAuthModelView` and under roles, there are only three permission that can be add `can read on CustomUserOAuthModelView, can edit on CustomUserOAuthModelView, can delete on CustomUserOAuthModelView`
![image](https://user-images.githubusercontent.com/24644475/140240436-01dc8da7-64d8-4ada-ae21-f9c5bf3adfaf.png)
The `add user` button isnt available for Admins and the `/Users/add` endpoint isn't accessible by Admins.
![image](https://user-images.githubusercontent.com/24644475/140240479-faedad30-c902-4833-b63c-7c3e69ec4837.png)
### What you expected to happen
Admin roles should have access to `/Users/add` endpoint and the `add user` button should be visible
### How to reproduce
upgrade from v1.10.15 to v2.1.3
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org