Apache Airflow如何与Google OAuth登录集成?

huangapple go评论63阅读模式
英文:

Apache Airflow with Google OAuth logins, how?

问题

我们想要使用Google Workspace进行Apache Airflow身份验证。我已根据此处的说明设置了OAuth客户端,从此处下载了Docker Compose的Airflow设置,然后尝试根据此处的说明配置Airflow - 大多数情况下。

然后,当我单击“使用Google登录”按钮时,我进入了同意屏幕,我可以接受,然后被重定向到我的测试服务器“localhost:8080”(Docker设置)。

然后它告诉我“登录无效”。

一些观察:

  • 我尚未配置安全管理器,因为我不知道如何配置以及为什么要配置。
  • 似乎重定向URL是正确的
    (实际上是.../oauth-authorized/google),
    因为在正确配置之前,Google甚至都不执行登录。
  • 我尚未配置“身份验证后端”,
    因为我只在较旧版本的Airflow中找到了这一点。
  • Docker映像(apache/airflow,v2.5.1)安装了库oauthlib 3.2.2
  • 当我使用oauthdebugger测试OIDC流程时,Google为我发放了令牌。所以我认为“问题”出现在Airflow一侧

这是我的webserver_config.py

from flask_appbuilder.security.manager import AUTH_OAUTH
import os

# Airflow Web服务器的OAUTH配置

# 从默认配置中复制
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None

# 特定于OAuth
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True  # 在每次登录时检查角色
AUTH_USER_REGISTRATION = False
# FAB_SECURITY_MANAGER_CLASS = "your_module.your_security_manager_class";

OAUTH_PROVIDERS = [
    {
        "name": "google",
        "token_key": "access_token",
        "icon": "fa-google",
        "remote_app": {
            "api_base_url": "https://www.googleapis.com/oauth2/v2/",
            "client_kwargs": {"scope": "email profile"},
            "access_token_url": "https://accounts.google.com/o/oauth2/token",
            "authorize_url": "https://accounts.google.com/o/oauth2/auth",
            "request_token_url": None,
            "client_id": "123456789012-asdfkjhagsdfkjhgasdkfjhgasdfkjhgapps.googleusercontent.com",
            "client_secret": "wooooo",
        },
    }
]

以下是相关的docker-compose.yaml部分:

  airflow-webserver:
    <<: *airflow-common
    # ... 其余内容不变 ... 
    volumes:
      - ${AIRFLOW_PROJ_DIR:-./data/airflow}/dags:/opt/airflow/dags
      - ${AIRFLOW_PROJ_DIR:-./data/airflow}/logs:/opt/airflow/logs
      - ${AIRFLOW_PROJ_DIR:-./data/airflow}/plugins:/opt/airflow/plugins
      - ./webserver_config.py:/opt/airflow/webserver_config.py

有趣的是,当返回Airflow页面时,它似乎加载文件,但我无法离开登录屏幕,无论我做什么,都会弹出“登录无效,请重试”的消息。

由于我遇到了困难,我将不胜感激任何帮助。

英文:

we would like to use google workspace to authenticate against apache airflow. i have set up an oauth client as described here, downloaded the docker-compose airflow setup from here, and then tried to configure airflow as described - mostly - here.

when i then click on the "login using google" button, i get to the consent screen, i can accept, and i'm being redirected to my test-server "localhost:8080". (docker setup).

it then tells me "invalid login".

some observations:

  • i have not configured a security manager, as i don't know how and what for
  • it seems the redirect url is correct
    (which is .../oauth-authorized/google, actually),
    as before i did not have it configured correctly, and google didn't even
    perform the login
  • i have not configured an "authentication backend",
    as i only found this in older versions of airflow
  • the docker image (apache/airflow, v2.5.1) has library oauthlib 3.2.2 installed
  • when i test the OIDC flow with oauthdebugger, google issues a token for me. so i think the "problem" is somewhere on the airflow side

this is my webserver_config.py:

from flask_appbuilder.security.manager import AUTH_OAUTH
import os

# OAUTH configuration for Airflow Web Server

# copied from default config
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None

# oauth specific
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True  # Checks roles on every login
AUTH_USER_REGISTRATION = False
# FAB_SECURITY_MANAGER_CLASS = "your_module.your_security_manager_class"

OAUTH_PROVIDERS = [
    {
        "name": "google",
        "token_key": "access_token",
        "icon": "fa-google",
        "remote_app": {
            "api_base_url": "https://www.googleapis.com/oauth2/v2/",
            "client_kwargs": {"scope": "email profile"},
            "access_token_url": "https://accounts.google.com/o/oauth2/token",
            "authorize_url": "https://accounts.google.com/o/oauth2/auth",
            "request_token_url": None,
            "client_id": "123456789012-asdfkjhagsdfkjhgasdkfjhgasdfkjhgapps.googleusercontent.com",
            "client_secret": "wooooo",
        },
    }
]

here is the relevant docker-compose.yaml part:

  airflow-webserver:
    <<: *airflow-common
    # ... rest is unchanged ... 
    volumes:
      - ${AIRFLOW_PROJ_DIR:-./data/airflow}/dags:/opt/airflow/dags
      - ${AIRFLOW_PROJ_DIR:-./data/airflow}/logs:/opt/airflow/logs
      - ${AIRFLOW_PROJ_DIR:-./data/airflow}/plugins:/opt/airflow/plugins
      - ./webserver_config.py:/opt/airflow/webserver_config.py

funny thing is, it apparently seems to load files for web pages when coming back to airflow, but i can't leave the login screen and no matter what i do, i get the popup message "Invalid login. Please try again."

as i am fairly stuck i'd appreciate any help.

答案1

得分: 1

你尝试过将redirect_url 设置为你在https://console.cloud.google.com/apis/credentials/oauthclient中设置的Authorized redirect URIs吗?

英文:

Have you tried setting the proper redirect_url that you've set as Authorized redirect URIs in https://console.cloud.google.com/apis/credentials/oauthclient?

'remote_app': {
    'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
    'client_kwargs': {'scope': 'email profile'},
    'access_token_url': 'https://accounts.google.com/o/oauth2/token',
    'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
    'request_token_url': None,
    'client_id': os.getenv("OAUTH_APP_ID"),
    'client_secret': os.getenv("OAUTH_APP_SECRET"),
    'redirect_url': '/oauth-authorized/google',
},

huangapple
  • 本文由 发表于 2023年3月7日 00:29:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/75653371.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定