How to assign Admin/User roles based on email with Google OAuth2? #57527
-
|
Hello Airflow community, We are currently using AWS MWAA (Celery Executor) and considering migrating to Airflow 3.0.2 on Kubernetes (AWS EKS).
We are integrating Google OAuth2 for authentication and authorization. We've configured our apiServer:
apiServerConfig: |
from flask_appbuilder.security.manager import AUTH_OAUTH
AUTH_TYPE = AUTH_OAUTH
CSRF_ENABLED = True
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "User"
AUTH_ROLES_SYNC_AT_LOGIN = False
OAUTH_PROVIDERS = [
{
'name': 'google',
'token_key': 'access_token',
'icon': 'fa-google',
'remote_app': {
'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
'client_kwargs': {'scope': 'email profile'},
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
'request_token_url': None,
'client_id': '<MY_CLIENT_ID>',
'client_secret': '<MY_CLIENT_SECRET>'
}
}
]Login with Google accounts is working correctly. However, because Our goal is to have specific accounts (e.g., We found a workaround by manually updating the What is the recommended approach for managing Admin vs. general User roles when using OAuth2? Is there a configuration setting or a specific method (perhaps custom logic in Thank you 🙏 |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I managed to resolve this issue. The key was to implement a # values.yaml
apiServer:
apiServerConfig: |
from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
import logging
log = logging.getLogger(__name__)
ADMIN_EMAIL_LIST = {
'[email protected]',
'[email protected]'
}
class CustomOidcSecurityManager(FabAirflowSecurityManagerOverride):
def oauth_user_info(self, provider, response):
if provider != 'google':
return {}
userinfo = response.get('userinfo')
email = userinfo.get('email')
hd = userinfo.get('hd')
if hd is None or hd != "mycompany.com":
return {}
if email is None:
return {}
if email in ADMIN_EMAIL_LIST:
userinfo['role_keys'] = ['Admin']
else:
userinfo['role_keys'] = ['User']
return userinfo
AUTH_TYPE = AUTH_OAUTH
CSRF_ENABLED = True
AUTH_USER_REGISTRATION = True
# AUTH_USER_REGISTRATION_ROLE = "Viewer"
AUTH_ROLES_SYNC_AT_LOGIN = True
PERMANENT_SESSION_LIFETIME = 86400
AUTH_ROLES_MAPPING = {
"Admin": ["Admin"],
"User": ["User"],
}
SECURITY_MANAGER_CLASS = CustomOidcSecurityManager
OAUTH_PROVIDERS = [
{
'name': 'google',
'token_key': 'access_token',
'icon': 'fa-google',
'remote_app': {
'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
'client_kwargs': {'scope': 'openid profile email'},
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
'request_token_url': None,
'client_id': '<CLIENT_ID>',
'client_secret': '<CLIENT_SECRET>',
'userinfo_endpoint': 'https://openidconnect.googleapis.com/v1/userinfo',
'jwks_uri': 'https://www.googleapis.com/oauth2/v3/certs',
'authorize_params': {'hd': 'mycompany.com'}
}
}
] |
Beta Was this translation helpful? Give feedback.
I managed to resolve this issue. The key was to implement a
CustomOidcSecurityManagerto override theoauth_user_infomethod.