英文:
Apache Airflow with Google OAuth logins, how?
问题
我们想要使用Google Workspace进行Apache Airflow身份验证。我已根据此处的说明设置了OAuth客户端,从此处下载了Docker Compose的Airflow设置,然后尝试根据此处的说明配置Airflow - 大多数情况下。
然后,当我单击“使用Google登录”按钮时,我进入了同意屏幕,我可以接受,然后被重定向到我的测试服务器“localhost:8080”(Docker设置)。
然后它告诉我“登录无效”。
一些观察:
- 我尚未配置安全管理器,因为我不知道如何配置以及为什么要配置。
- 似乎重定向URL是正确的
(实际上是.../oauth-authorized/google),
因为在正确配置之前,Google甚至都不执行登录。 - 我尚未配置“身份验证后端”,
因为我只在较旧版本的Airflow中找到了这一点。 - Docker映像(apache/airflow,v2.5.1)安装了库
oauthlib 3.2.2。 - 当我使用oauthdebugger测试OIDC流程时,Google为我发放了令牌。所以我认为“问题”出现在Airflow一侧。
这是我的webserver_config.py:
from flask_appbuilder.security.manager import AUTH_OAUTHimport os# Airflow Web服务器的OAUTH配置# 从默认配置中复制WTF_CSRF_ENABLED = TrueWTF_CSRF_TIME_LIMIT = None# 特定于OAuthAUTH_TYPE = AUTH_OAUTHAUTH_ROLES_SYNC_AT_LOGIN = True # 在每次登录时检查角色AUTH_USER_REGISTRATION = False# FAB_SECURITY_MANAGER_CLASS = "your_module.your_security_manager_class";OAUTH_PROVIDERS = [{"name": "google","token_key": "access_token","icon": "fa-google","remote_app": {"api_base_url": "https://www.googleapis.com/oauth2/v2/","client_kwargs": {"scope": "email profile"},"access_token_url": "https://accounts.google.com/o/oauth2/token","authorize_url": "https://accounts.google.com/o/oauth2/auth","request_token_url": None,"client_id": "123456789012-asdfkjhagsdfkjhgasdkfjhgasdfkjhgapps.googleusercontent.com","client_secret": "wooooo",},}]
以下是相关的docker-compose.yaml部分:
airflow-webserver:<<: *airflow-common# ... 其余内容不变 ...volumes:- ${AIRFLOW_PROJ_DIR:-./data/airflow}/dags:/opt/airflow/dags- ${AIRFLOW_PROJ_DIR:-./data/airflow}/logs:/opt/airflow/logs- ${AIRFLOW_PROJ_DIR:-./data/airflow}/plugins:/opt/airflow/plugins- ./webserver_config.py:/opt/airflow/webserver_config.py
有趣的是,当返回Airflow页面时,它似乎加载文件,但我无法离开登录屏幕,无论我做什么,都会弹出“登录无效,请重试”的消息。
由于我遇到了困难,我将不胜感激任何帮助。
英文:
we would like to use google workspace to authenticate against apache airflow. i have set up an oauth client as described here, downloaded the docker-compose airflow setup from here, and then tried to configure airflow as described - mostly - here.
when i then click on the "login using google" button, i get to the consent screen, i can accept, and i'm being redirected to my test-server "localhost:8080". (docker setup).
it then tells me "invalid login".
some observations:
- i have not configured a security manager, as i don't know how and what for
- it seems the redirect url is correct
(which is.../oauth-authorized/google, actually),
as before i did not have it configured correctly, and google didn't even
perform the login - i have not configured an "authentication backend",
as i only found this in older versions of airflow - the docker image (apache/airflow, v2.5.1) has library
oauthlib 3.2.2installed - when i test the OIDC flow with oauthdebugger, google issues a token for me. so i think the "problem" is somewhere on the airflow side
this is my webserver_config.py:
from flask_appbuilder.security.manager import AUTH_OAUTHimport os# OAUTH configuration for Airflow Web Server# copied from default configWTF_CSRF_ENABLED = TrueWTF_CSRF_TIME_LIMIT = None# oauth specificAUTH_TYPE = AUTH_OAUTHAUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every loginAUTH_USER_REGISTRATION = False# FAB_SECURITY_MANAGER_CLASS = "your_module.your_security_manager_class"OAUTH_PROVIDERS = [{"name": "google","token_key": "access_token","icon": "fa-google","remote_app": {"api_base_url": "https://www.googleapis.com/oauth2/v2/","client_kwargs": {"scope": "email profile"},"access_token_url": "https://accounts.google.com/o/oauth2/token","authorize_url": "https://accounts.google.com/o/oauth2/auth","request_token_url": None,"client_id": "123456789012-asdfkjhagsdfkjhgasdkfjhgasdfkjhgapps.googleusercontent.com","client_secret": "wooooo",},}]
here is the relevant docker-compose.yaml part:
airflow-webserver:<<: *airflow-common# ... rest is unchanged ...volumes:- ${AIRFLOW_PROJ_DIR:-./data/airflow}/dags:/opt/airflow/dags- ${AIRFLOW_PROJ_DIR:-./data/airflow}/logs:/opt/airflow/logs- ${AIRFLOW_PROJ_DIR:-./data/airflow}/plugins:/opt/airflow/plugins- ./webserver_config.py:/opt/airflow/webserver_config.py
funny thing is, it apparently seems to load files for web pages when coming back to airflow, but i can't leave the login screen and no matter what i do, i get the popup message "Invalid login. Please try again."
as i am fairly stuck i'd appreciate any help.
答案1
得分: 1
你尝试过将redirect_url 设置为你在https://console.cloud.google.com/apis/credentials/oauthclient中设置的Authorized redirect URIs吗?
英文:
Have you tried setting the proper redirect_url that you've set as Authorized redirect URIs in https://console.cloud.google.com/apis/credentials/oauthclient?
'remote_app': {'api_base_url': 'https://www.googleapis.com/oauth2/v2/','client_kwargs': {'scope': 'email profile'},'access_token_url': 'https://accounts.google.com/o/oauth2/token','authorize_url': 'https://accounts.google.com/o/oauth2/auth','request_token_url': None,'client_id': os.getenv("OAUTH_APP_ID"),'client_secret': os.getenv("OAUTH_APP_SECRET"),'redirect_url': '/oauth-authorized/google',},
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论