OpenShift OAuth not working when upgrading from 2.6.3 -> 2.7.0 #34107
Description
Discussed in #33913
Originally posted by allekai August 30, 2023
Hi everyone,
we have Airflow deployed via the official helm chart (Version 1.10.0) in our OpenShift Namespace and tried to upgrade the Airflow version to 2.7.0, but with this, our authentication seems to break.
Prior to the upgrade we used 2.6.3. In the values.yaml we defined a webserver config like so (I mainly used the documentation as reference, but made some minor adjustments for our setup):
airflow:
webserver:
webserverConfig: |
from flask_appbuilder.security.manager import AUTH_OAUTH
import os
import json
client_id = os.environ["client_id"]
client_secret = os.environ["token"]
api_base_url = os.environ["api_base_url"]
redirect_uri = os.environ["redirect_uri"]
access_token_url = os.environ["access_token_url"]
authorize_url = os.environ["authorize_url"]#
from airflow.www.security import AirflowSecurityManager
import logging
from typing import Any, List, Union
log = logging.getLogger(__name__)
log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO"))
class OpenShiftOAuthAuthorizer(AirflowSecurityManager):
def get_oauth_user_info(self, provider: str, resp: Any) -> dict[str, Union[str, list[str]]]:
if provider == "openshift":
me = self.oauth_remotes[provider].get("apis/user.openshift.io/v1/users/~")
data = me.json()
log.info(data)
return {
"username": data["metadata"]["name"],
"role_keys": data["groups"],
"first_name": data["fullName"]
}
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login
AUTH_USER_REGISTRATION = True # allow users who are not already in the FAB DB to register
# Make sure to replace this with the path to your security manager class
FAB_SECURITY_MANAGER_CLASS = "webserver_config.OpenShiftOAuthAuthorizer"
with open('/mnt/rolesconfig/roles.json') as roleFile:
AUTH_ROLES_MAPPING = json.load(roleFile)
print(f"Following Roles were defined via Rolemapping: {AUTH_ROLES_MAPPING}")
# If you wish, you can add multiple OAuth providers.
OAUTH_PROVIDERS = [
{
"name": "openshift",
"icon": "fa-circle-o",
"token_key": "access_token",
"remote_app": {
"client_id": client_id,
"client_secret": client_secret,
"api_base_url": api_base_url,
"client_kwargs": {"scope": "user:info"},
"redirect_uri": redirect_uri,
"access_token_url": access_token_url,
"authorize_url": authorize_url,
"token_endpoint_auth_method": "client_secret_post",
},
},
]
With Airflow 2.6.3 this authentication logic works fine, however with Airflow 2.7.0 after authenticating with OpenShfit we get an Airflow page saying that the user has no roles / permission.
Furthermore, the log.info(data) statement is either never called or the logging does not make it to the console.
The print(f"Following Roles were defined via Rolemapping: {AUTH_ROLES_MAPPING}") statement however is printed to stdout as expected.
When we run airflow users list in the webserver pod, we see an entry for the user who tried to login, however we only have the email adress - the username, roles oder fullname are not written to the DB.
After digging around in the code base I found that with 2.7.0 we have the FabAirflowSecurityManagerOverride and with more recent commits we also have FabAirflowSecurityManagerOverrideOauth specific to OAuth.
The current documentation (see link above) does not mention these override classes. Do we need to change the class from which we inherit?