OpenShift OAuth not working when upgrading from 2.6.3 -> 2.7.0

[vincbeck]

Discussed in #33913

^{Originally posted by allekai August 30, 2023}
Hi everyone,

we have Airflow deployed via the official helm chart (Version 1.10.0) in our OpenShift Namespace and tried to upgrade the Airflow version to 2.7.0, but with this, our authentication seems to break.

Prior to the upgrade we used 2.6.3. In the values.yaml we defined a webserver config like so (I mainly used the documentation as reference, but made some minor adjustments for our setup):

airflow:
  webserver:
    webserverConfig: |
      from flask_appbuilder.security.manager import AUTH_OAUTH
      import os
      import json


      client_id         = os.environ["client_id"]
      client_secret     = os.environ["token"]
      api_base_url      = os.environ["api_base_url"]
      redirect_uri      = os.environ["redirect_uri"]
      access_token_url  = os.environ["access_token_url"]
      authorize_url     = os.environ["authorize_url"]#

      from airflow.www.security import AirflowSecurityManager
      import logging
      from typing import Any, List, Union

      log = logging.getLogger(__name__)
      log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO"))

      class OpenShiftOAuthAuthorizer(AirflowSecurityManager):

          def get_oauth_user_info(self, provider: str, resp: Any) -> dict[str, Union[str, list[str]]]:
              if provider == "openshift":
                  me = self.oauth_remotes[provider].get("apis/user.openshift.io/v1/users/~")
                  data = me.json()
                  log.info(data)
                  return {
                    "username": data["metadata"]["name"],
                    "role_keys": data["groups"],
                    "first_name": data["fullName"]
                  }

      AUTH_TYPE = AUTH_OAUTH
      AUTH_ROLES_SYNC_AT_LOGIN = True  # Checks roles on every login
      AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB to register
      # Make sure to replace this with the path to your security manager class
      FAB_SECURITY_MANAGER_CLASS = "webserver_config.OpenShiftOAuthAuthorizer"

      with open('/mnt/rolesconfig/roles.json') as roleFile:
        AUTH_ROLES_MAPPING = json.load(roleFile)
        print(f"Following Roles were defined via Rolemapping: {AUTH_ROLES_MAPPING}")

      # If you wish, you can add multiple OAuth providers.
      OAUTH_PROVIDERS = [
        {
          "name": "openshift",
          "icon": "fa-circle-o",
          "token_key": "access_token",
          "remote_app": {
            "client_id": client_id,
            "client_secret": client_secret,
            "api_base_url": api_base_url,
            "client_kwargs": {"scope": "user:info"},
            "redirect_uri": redirect_uri,
            "access_token_url": access_token_url,
            "authorize_url": authorize_url,
            "token_endpoint_auth_method": "client_secret_post",
          },
        },
      ]

With Airflow 2.6.3 this authentication logic works fine, however with Airflow 2.7.0 after authenticating with OpenShfit we get an Airflow page saying that the user has no roles / permission.
Furthermore, the log.info(data) statement is either never called or the logging does not make it to the console.
The print(f"Following Roles were defined via Rolemapping: {AUTH_ROLES_MAPPING}") statement however is printed to stdout as expected.
When we run airflow users list in the webserver pod, we see an entry for the user who tried to login, however we only have the email adress - the username, roles oder fullname are not written to the DB.

After digging around in the code base I found that with 2.7.0 we have the FabAirflowSecurityManagerOverride and with more recent commits we also have FabAirflowSecurityManagerOverrideOauth specific to OAuth.

The current documentation (see link above) does not mention these override classes. Do we need to change the class from which we inherit?

[vandonr-amz]

hey @allekai I'm reading your config, and there was recently some fixes to the default config documentation because it was not correct.
I'm referring to #33660 and #33690
So I'm wondering how it ever worked (note that those PRs fix the doc, but the code didn't change).
Can you try replacing the line FAB_SECURITY_MANAGER_CLASS = "webserver_config.OpenShiftOAuthAuthorizer" with SECURITY_MANAGER_CLASS = OpenShiftOAuthAuthorizer ?

[allekai]

Hi @vandonr-amz I will check it out today in the afternoon

[yc0]

hey @allekai I'm reading your config, and there was recently some fixes to the default config documentation because it was not correct. I'm referring to #33660 and #33690 So I'm wondering how it ever worked (note that those PRs fix the doc, but the code didn't change). Can you try replacing the line FAB_SECURITY_MANAGER_CLASS = "webserver_config.OpenShiftOAuthAuthorizer" with SECURITY_MANAGER_CLASS = OpenShiftOAuthAuthorizer ?

When I replace the FAB_SECURITY_MANAGER_CLASS with SECURITY_MANAGER_CLASS, it works again. Thanks.

[vincbeck]

I really dont understand how it was supposed to work before since it is been 3 years we have been using SECURITY_MANAGER_CLASS (see here) but I am glad it got resolved :).

Closing the issue