{"id":4070,"date":"2022-01-06T15:10:32","date_gmt":"2022-01-06T20:10:32","guid":{"rendered":"https:\/\/infotechguy.net\/?p=4070"},"modified":"2022-08-26T09:41:52","modified_gmt":"2022-08-26T13:41:52","slug":"airflow-azure-and-oauth","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=4070","title":{"rendered":"Airflow, Azure and OAuth"},"content":{"rendered":"\n

NOTE: This is an incomplete article – I will continue to publish more as I can. I have provided the needed code for “webserver_config.py” I have not included information for the “App Registration” in Azure.<\/p>\n

This article stems from me not finding enough information, in one place, pertaining to authenticating to Apache Airflow<\/a> leveraging OAuth and Azure.

I was able to piece what I needed together using documentation from different sources: GitHub, Flask, Apache, etc.

My hope is that this article provide you with the information needed to get authentication functional in your environment.

If you are using the Apache Airflow public helm chart – this is the code that will help get you going. This can be added to your “values.yaml” or “overrides.yaml” file.\u00a0 If not using a helm chart, then add the python portion – starting with the first “from” to the end of the code block and add it to your “webserver_config.py” file.<\/p>\n\n\n\n

webserver:\n  service:\n    type: NodePort\n  webserverConfig: |\n    \n    from airflow.www.security import AirflowSecurityManager\n    import logging\n    from typing import Dict, Any, List, Union\n    from flask_appbuilder.security.manager import AUTH_OAUTH\n    import os\n\n    # basedir = os.path.abspath(os.path.dirname(__file__))\n\n    WTF_CSRF_ENABLED = True\n    # SQLALCHEMY_DATABASE_URI = conf.get(\"core\", \"SQL_ALCHEMY_CONN\")\n\n    AUTH_TYPE = AUTH_OAUTH\n    AUTH_ROLES_SYNC_AT_LOGIN = True\n    PERMANENT_SESSION_LIFETIME = 1800 # force users to reauth after inactivity period time in seconds\n    AUTH_USER_REGISTRATION = True\n    AUTH_USER_REGISTRATION_ROLE = \"Public\"\n\n    class AzureRoleBasedSecurityManager(AirflowSecurityManager):\n        def _get_oauth_user_info(self, provider, resp):\n            if provider == \"azure\":\n                me = self._azure_jwt_token_parse(resp[\"id_token\"])\n                return {\n                    \"id\": me[\"oid\"],\n                    \"username\": me[\"upn\"],\n                    \"name\": me[\"name\"],\n                    \"email\": me[\"upn\"],\n                    \"first_name\": me[\"given_name\"],\n                    \"last_name\": me[\"family_name\"],\n                    \"role_keys\": me[\"roles\"],\n                }\n            return {}\n        oauth_user_info = _get_oauth_user_info\n\n    SECURITY_MANAGER_CLASS = AzureRoleBasedSecurityManager\n\n    # In order of least permissive - default is \"Public\" - see AUTH_USER_REGISTRATION_ROLE\n    AUTH_ROLES_MAPPING = {\n      \"Public\": [\"Public\"],\n      \"Viewer\": [\"Viewer\"],\n      \"User\": [\"User\"],\n      \"Op\": [\"Op\"],\n      \"Admin\": [\"Admin\"],\n    }\n\n    OAUTH_PROVIDERS = [\n      {\n        \"name\": \"azure\",\n        \"icon\": \"fa-windows\",\n        \"token_key\": \"access_token\",\n        \"remote_app\": {\n          \"client_id\": \"<from Azure>\",\n          \"client_secret\": \"<from Azure>\",\n          \"api_base_url\": \"https:\/\/login.microsoftonline.com\/<from Azure>\/oauth2\",\n          \"client_kwargs\": {\n            \"scope\": \"User.read name preferred_username email profile upn\",\n            \"resource\": \"<from Azure>\"},\n          \"access_token_url\": \"https:\/\/login.microsoftonline.com\/<from Azure>\/oauth2\/token\",\n          \"authorize_url\": \"https:\/\/login.microsoftonline.com\/<from Azure>\/oauth2\/authorize\",\n          \"request_token_url\": None,\n        },\n      },\n    ]<\/code><\/pre>\n\n\n\n

<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
NOTE: This is an incomplete article – I will continue to publish more as I can. I have provided the needed code for “webserver_config.py” I have not included information for the “App Registration” in Azure....<\/p>\n","protected":false},"author":3,"featured_media":4269,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[57,112],"class_list":["post-4070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","tag-cloud","tag-security-2"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/4070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4070"}],"version-history":[{"count":1,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/4070\/revisions"}],"predecessor-version":[{"id":4137,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/4070\/revisions\/4137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4269"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}