有没有办法使用 Gogle OAuth2 身份验证设置 Airflow 2
Is there a way to setup Airflow 2 with Gogle OAuth2 authentication
我将 Airflow 1.10.14 配置得很好,允许组织级 Google OAuth2 身份验证。
我最近尝试升级到 Airflow 2,但找不到使 Google OAuth2 工作的方法。
这是我的 webserver_config.py 的样子:
进口os
from flask_appbuilder.security.manager import AUTH_OAUTH
basedir = os.path.abspath(os.path.dirname(__file__))
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [{
'name':'google',
'token_key':'access_token',
'icon':'fa-google',
'remote_app': {
'api_base_url':'https://www.googleapis.com/oauth2/v2/',
'client_kwargs':{
'scope': 'email profile'
},
'access_token_url':'https://accounts.google.com/o/oauth2/token',
'authorize_url':'https://accounts.google.com/o/oauth2/auth',
'request_token_url': None,
'client_id': '<client_id>',
'client_secret': '<client_secret>',
}
}]
作为重定向 URL 我有 https://airflow.mydomain.tld/oauth-authorized/google
我配置了作用域并启用了 .../auth/userinfo.email 和 .../auth/userinfo.profile.
通过此设置,我得到了 Google 同意页面,一旦我选择了我的用户(在 Airflow 2 中创建并具有“管理员”权限),我得到:
Something bad has happened.
Please consider letting us know by creating a bug report using GitHub.
Python version: 3.8.5
Airflow version: 2.1.4
Node: ip-x-x-x-x.ec2.internal
-------------------------------------------------------------------------------
Traceback (most recent call last):
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask_appbuilder/security/views.py", line 655, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
params = self.retrieve_access_token_params(flask_req, request_token)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
params = self._retrieve_oauth2_access_token_params(request, params)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
我试过不同的用户,关联不同的角色,结果相同。
您可以使用 webserver_config.py 解决,例如:
import os
from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.configuration import conf
basedir = os.path.abspath(os.path.dirname(__file__))
# The SQLAlchemy connection string.
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
CSRF_ENABLED = True
# The SQLAlchemy connection string.
SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')
OAUTH_PROVIDERS = [
{'name': 'google', 'icon': 'fa-google', 'token_key': 'access_token',
'remote_app': {
'client_id': '<client_id>',
'client_secret': '<client_secret>',
'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
'client_kwargs': {
'scope': 'email profile'
},
'request_token_url': None,
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth'}
},
]
并且在 airflow.cfg 中,您必须将 cookie_samesite 指定为:
# Set samesite policy on session cookie
cookie_samesite = Lax
对于组织级别的安全性,您还可以添加 OAUTH_PROVIDERS:
'whitelist': ['@<your-organsation-email.com>']
我将 Airflow 1.10.14 配置得很好,允许组织级 Google OAuth2 身份验证。
我最近尝试升级到 Airflow 2,但找不到使 Google OAuth2 工作的方法。
这是我的 webserver_config.py 的样子:
进口os
from flask_appbuilder.security.manager import AUTH_OAUTH
basedir = os.path.abspath(os.path.dirname(__file__))
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [{
'name':'google',
'token_key':'access_token',
'icon':'fa-google',
'remote_app': {
'api_base_url':'https://www.googleapis.com/oauth2/v2/',
'client_kwargs':{
'scope': 'email profile'
},
'access_token_url':'https://accounts.google.com/o/oauth2/token',
'authorize_url':'https://accounts.google.com/o/oauth2/auth',
'request_token_url': None,
'client_id': '<client_id>',
'client_secret': '<client_secret>',
}
}]
作为重定向 URL 我有 https://airflow.mydomain.tld/oauth-authorized/google
我配置了作用域并启用了 .../auth/userinfo.email 和 .../auth/userinfo.profile.
通过此设置,我得到了 Google 同意页面,一旦我选择了我的用户(在 Airflow 2 中创建并具有“管理员”权限),我得到:
Something bad has happened.
Please consider letting us know by creating a bug report using GitHub.
Python version: 3.8.5
Airflow version: 2.1.4
Node: ip-x-x-x-x.ec2.internal
-------------------------------------------------------------------------------
Traceback (most recent call last):
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/flask_appbuilder/security/views.py", line 655, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
params = self.retrieve_access_token_params(flask_req, request_token)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
params = self._retrieve_oauth2_access_token_params(request, params)
File "/home/airflow/py/airflow2/lib64/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
我试过不同的用户,关联不同的角色,结果相同。
您可以使用 webserver_config.py 解决,例如:
import os
from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.configuration import conf
basedir = os.path.abspath(os.path.dirname(__file__))
# The SQLAlchemy connection string.
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
CSRF_ENABLED = True
# The SQLAlchemy connection string.
SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')
OAUTH_PROVIDERS = [
{'name': 'google', 'icon': 'fa-google', 'token_key': 'access_token',
'remote_app': {
'client_id': '<client_id>',
'client_secret': '<client_secret>',
'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
'client_kwargs': {
'scope': 'email profile'
},
'request_token_url': None,
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth'}
},
]
并且在 airflow.cfg 中,您必须将 cookie_samesite 指定为:
# Set samesite policy on session cookie
cookie_samesite = Lax
对于组织级别的安全性,您还可以添加 OAUTH_PROVIDERS:
'whitelist': ['@<your-organsation-email.com>']