英文:
Apache Airflow with Google OAuth logins, how?
问题
我们想要使用Google Workspace进行Apache Airflow身份验证。我已根据此处的说明设置了OAuth客户端,从此处下载了Docker Compose的Airflow设置,然后尝试根据此处的说明配置Airflow - 大多数情况下。
然后,当我单击“使用Google登录”按钮时,我进入了同意屏幕,我可以接受,然后被重定向到我的测试服务器“localhost:8080”(Docker设置)。
然后它告诉我“登录无效”。
一些观察:
- 我尚未配置安全管理器,因为我不知道如何配置以及为什么要配置。
- 似乎重定向URL是正确的
(实际上是.../oauth-authorized/google),
因为在正确配置之前,Google甚至都不执行登录。 - 我尚未配置“身份验证后端”,
因为我只在较旧版本的Airflow中找到了这一点。 - Docker映像(apache/airflow,v2.5.1)安装了库
oauthlib 3.2.2。 - 当我使用oauthdebugger测试OIDC流程时,Google为我发放了令牌。所以我认为“问题”出现在Airflow一侧。
这是我的webserver_config.py:
from flask_appbuilder.security.manager import AUTH_OAUTH
import os
# Airflow Web服务器的OAUTH配置
# 从默认配置中复制
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None
# 特定于OAuth
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True # 在每次登录时检查角色
AUTH_USER_REGISTRATION = False
# FAB_SECURITY_MANAGER_CLASS = "your_module.your_security_manager_class";
OAUTH_PROVIDERS = [
{
"name": "google",
"token_key": "access_token",
"icon": "fa-google",
"remote_app": {
"api_base_url": "https://www.googleapis.com/oauth2/v2/",
"client_kwargs": {"scope": "email profile"},
"access_token_url": "https://accounts.google.com/o/oauth2/token",
"authorize_url": "https://accounts.google.com/o/oauth2/auth",
"request_token_url": None,
"client_id": "123456789012-asdfkjhagsdfkjhgasdkfjhgasdfkjhgapps.googleusercontent.com",
"client_secret": "wooooo",
},
}
]
以下是相关的docker-compose.yaml部分:
airflow-webserver:
<<: *airflow-common
# ... 其余内容不变 ...
volumes:
- ${AIRFLOW_PROJ_DIR:-./data/airflow}/dags:/opt/airflow/dags
- ${AIRFLOW_PROJ_DIR:-./data/airflow}/logs:/opt/airflow/logs
- ${AIRFLOW_PROJ_DIR:-./data/airflow}/plugins:/opt/airflow/plugins
- ./webserver_config.py:/opt/airflow/webserver_config.py
有趣的是,当返回Airflow页面时,它似乎加载文件,但我无法离开登录屏幕,无论我做什么,都会弹出“登录无效,请重试”的消息。
由于我遇到了困难,我将不胜感激任何帮助。
英文:
we would like to use google workspace to authenticate against apache airflow. i have set up an oauth client as described here, downloaded the docker-compose airflow setup from here, and then tried to configure airflow as described - mostly - here.
when i then click on the "login using google" button, i get to the consent screen, i can accept, and i'm being redirected to my test-server "localhost:8080". (docker setup).
it then tells me "invalid login".
some observations:
- i have not configured a security manager, as i don't know how and what for
- it seems the redirect url is correct
(which is.../oauth-authorized/google, actually),
as before i did not have it configured correctly, and google didn't even
perform the login - i have not configured an "authentication backend",
as i only found this in older versions of airflow - the docker image (apache/airflow, v2.5.1) has library
oauthlib 3.2.2installed - when i test the OIDC flow with oauthdebugger, google issues a token for me. so i think the "problem" is somewhere on the airflow side
this is my webserver_config.py:
from flask_appbuilder.security.manager import AUTH_OAUTH
import os
# OAUTH configuration for Airflow Web Server
# copied from default config
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None
# oauth specific
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login
AUTH_USER_REGISTRATION = False
# FAB_SECURITY_MANAGER_CLASS = "your_module.your_security_manager_class"
OAUTH_PROVIDERS = [
{
"name": "google",
"token_key": "access_token",
"icon": "fa-google",
"remote_app": {
"api_base_url": "https://www.googleapis.com/oauth2/v2/",
"client_kwargs": {"scope": "email profile"},
"access_token_url": "https://accounts.google.com/o/oauth2/token",
"authorize_url": "https://accounts.google.com/o/oauth2/auth",
"request_token_url": None,
"client_id": "123456789012-asdfkjhagsdfkjhgasdkfjhgasdfkjhgapps.googleusercontent.com",
"client_secret": "wooooo",
},
}
]
here is the relevant docker-compose.yaml part:
airflow-webserver:
<<: *airflow-common
# ... rest is unchanged ...
volumes:
- ${AIRFLOW_PROJ_DIR:-./data/airflow}/dags:/opt/airflow/dags
- ${AIRFLOW_PROJ_DIR:-./data/airflow}/logs:/opt/airflow/logs
- ${AIRFLOW_PROJ_DIR:-./data/airflow}/plugins:/opt/airflow/plugins
- ./webserver_config.py:/opt/airflow/webserver_config.py
funny thing is, it apparently seems to load files for web pages when coming back to airflow, but i can't leave the login screen and no matter what i do, i get the popup message "Invalid login. Please try again."
as i am fairly stuck i'd appreciate any help.
答案1
得分: 1
你尝试过将redirect_url 设置为你在https://console.cloud.google.com/apis/credentials/oauthclient中设置的Authorized redirect URIs吗?
英文:
Have you tried setting the proper redirect_url that you've set as Authorized redirect URIs in https://console.cloud.google.com/apis/credentials/oauthclient?
'remote_app': {
'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
'client_kwargs': {'scope': 'email profile'},
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
'request_token_url': None,
'client_id': os.getenv("OAUTH_APP_ID"),
'client_secret': os.getenv("OAUTH_APP_SECRET"),
'redirect_url': '/oauth-authorized/google',
},
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论