You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/01/15 11:47:09 UTC
[GitHub] [airflow] FlorianWagnerZEB opened a new issue #13693: Unexpected "Access denied" redirects using OAuth with Keycloak
FlorianWagnerZEB opened a new issue #13693:
URL: https://github.com/apache/airflow/issues/13693
<!--
Welcome to Apache Airflow! For a smooth issue process, try to answer the following questions.
Don't worry if they're not all applicable; just try to include what you can :-)
If you need to include code snippets or logs, please put them in fenced code
blocks. If they're super-long, please use the details tag like
<details><summary>super-long log</summary> lots of stuff </details>
Please delete these comment blocks before submitting the issue.
-->
<!--
IMPORTANT!!!
PLEASE CHECK "SIMILAR TO X EXISTING ISSUES" OPTION IF VISIBLE
NEXT TO "SUBMIT NEW ISSUE" BUTTON!!!
PLEASE CHECK IF THIS ISSUE HAS BEEN REPORTED PREVIOUSLY USING SEARCH!!!
Please complete the next sections or the issue will be closed.
These questions are the first thing we need to know to understand the context.
-->
**Apache Airflow version**: 1.10.12
**Kubernetes version**: Client: v1.15.11, Server: v1.19.3
**Environment**: Kubernetes for Docker Desktop
- **OS**: Windows 10 Pro
- **Airflow Base Image**: apache/airflow:1.10.12-python3.8
**What happened**:
When I log in using keycloak as OAuth provider I frequently (every few seconds) get "Access denied" messages followed by a redirect to the `/login` page, even when I request endpoints, which are allowed for my user role.
Mostly those endpoints that were already working a few seconds ago suddenly result in an "Access denied" message.
**What you expected to happen**:
The login should result in a stable session allowing me to perform all actions on the webinterface according to my user role.
<!-- What do you think went wrong? -->
**How to reproduce it**:
<!---
As minimally and precisely as possible. Keep in mind we do not have access to your cluster or dags.
If you are using kubernetes, please attempt to recreate the issue using minikube or kind.
## Install minikube/kind
- Minikube https://minikube.sigs.k8s.io/docs/start/
- Kind https://kind.sigs.k8s.io/docs/user/quick-start/
If this is a UI bug, please provide a screenshot of the bug or a link to a youtube video of the bug in action
You can include images using the .md style of
To record a screencast, mac users can use QuickTime and then create an unlisted youtube video with the resulting .mov file.
--->
I activated OAuth authentication with my keycloak as oauth backend the following way:
Passed the following environment variable to all airflow pods:
`AIRFLOW__WEBSERVER__RBAC: 'True'`
Added the following packages to my airflow docker image:
`pip --no-cache-dir install oauthlib flask_oauthlib==0.9.5`
Changed my webserver_config.py to the following:
```
from flask_appbuilder.security.manager import (
AUTH_OAUTH
)
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
"name":'azure',
"icon": 'fa-windows',
"token_key": "access_token",
"remote_app": {
"consumer_key":"xxxxxxxxx",
"consumer_secret":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"base_url":"https://our-company-keycloak/auth/realms/our-realm",
"access_token_url": "https://our-company-keycloak/auth/realms/our-realm/protocol/openid-connect/token",
"authorize_url": "https://our-company-keycloak/auth/realms/our-realm/protocol/openid-connect/auth",
"request_token_params": {
"scope": "openid"
}
}
},
]
```
Since there is no option to use "keycloak" as a name for an OAuth provider, I used "azure" and configured my keycloak client to map the user information according to Azure's OAuth behavior.
In particular, the following mappings had to be made:
`email -> upn`
`first_name -> given_name`
`last_name -> family_name`
`id -> oid`
`username -> oid`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #13693: Unexpected "Access denied" redirects using OAuth with Keycloak
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #13693:
URL: https://github.com/apache/airflow/issues/13693#issuecomment-762227485
This also doesn't look like an Airflow setup issue but a Flask App builder issue. Can you try to get help there?
https://github.com/dpgaspar/Flask-AppBuilder/issues
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #13693: Unexpected "Access denied" redirects using OAuth with Keycloak
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #13693:
URL: https://github.com/apache/airflow/issues/13693#issuecomment-760895548
Thanks for opening your first issue here! Be sure to follow the issue template!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk closed issue #13693: Unexpected "Access denied" redirects using OAuth with Keycloak
Posted by GitBox <gi...@apache.org>.
potiuk closed issue #13693:
URL: https://github.com/apache/airflow/issues/13693
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #13693: Unexpected "Access denied" redirects using OAuth with Keycloak
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #13693:
URL: https://github.com/apache/airflow/issues/13693#issuecomment-761804570
@FlorianWagnerZEB - this is rather 'troubleshooting" kind of question rather than bug. I am closing this issue for now, but please copy it and open [discussions[(https://github.com/apache/airflow/discussions). If you click "new issue" and see the "Ask a question or Get Support" - discussion is the link that is suggested there.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org