Niha3893382
Niha3893382

Reputation: 93

Airflow Google Authentication does not work as expected

I followed the step provided in the document: https://airflow.apache.org/security.html#google-authentication

After following all steps and restarting the webserver. I do not see any difference with login page and it still asks me for password authentication. I am not sure how to get the google signin option on the web page. I do not get any error on webserver logs.

Configuration=> airflow.cfg:
authenticate = True
#auth_backend = airflow.contrib.auth.backends.password_auth
auth_backend = airflow.contrib.auth.backends.google_auth

[google]
client_id = <client id>
client_secret = <secret key>
oauth_callback_route = /oauth2callback
domain = <domain_name>.com

Upvotes: 3

Views: 5581

Answers (2)

Zach
Zach

Reputation: 958

So I discovered that if we used webserver_config.py as described above, there's no need to add the [google] section in airflow.cfg anymore. It's just redundant. To sum up, my setup is:

airflow.cfg:

authenticate = True
auth_backend = airflow.contrib.auth.backends.google_auth

rbac = True

webserver_config.py:

from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH

AUTH_USER_REGISTRATION = True

AUTH_USER_REGISTRATION_ROLE = "Admin"

OAUTH_PROVIDERS = [{
    'name':'google',
    'whitelist': ['@yourdomain.com'],  # optional
    'token_key':'access_token',
    'icon':'fa-google',
    'remote_app': {
        'base_url':'https://www.googleapis.com/oauth2/v2/',
        'request_token_params':{
            'scope': 'email profile'
        },
        'access_token_url':'https://oauth2.googleapis.com/token',
        'authorize_url':'https://accounts.google.com/o/oauth2/auth',
        'request_token_url': None,
        'consumer_key': '<your_client_id>',
        'consumer_secret': '<your_client_secret>',
    }
}]

I have to use AUTH_USER_REGISTRATION_ROLE = "Admin" for the very first user otherwise that user cannot even log in and end up in an error page saying "too many redirects".

Upvotes: 8

Niha3893382
Niha3893382

Reputation: 93

As I had RBAC enabled, so I had to change webserver_config.py file for oauth to work with RBAC. webserver_config.py file is created once we have RBAC enabled to true and restarting web server.

  1. AUTH_TYPE = AUTH_OAUTH (to enable Google authentication/Github authentication)
  2. OAUTH_PROVIDERS must be set example: https://github.com/dpgaspar/Flask-AppBuilder/tree/master/examples/oauth
  3. AUTH_USER_REGISTRATION = True
  4. AUTH_USER_REGISTRATION_ROLE = "Already defined roles/Admin/Public"

Once we have it configured and web server restarted, google sign in option appears at the login page. For reference: https://flask-appbuilder.readthedocs.io/en/latest/security.html?highlight=google#authentication-oauth

Upvotes: 4

Related Questions