728x90
728x90
https://artifacthub.io/packages/helm/apache-airflow/airflow
user-community 버전 사용하는거 아님
# 1. Github OAuth Client 만들기
- homepage URL : Airflow 도메인
- Authotization callback URL : Airflow 도메인 +
/oauth-authorized/github
# 2. airflow helm value 추가
webserver:
webserverConfig: |
#######################################
# Custom AirflowSecurityManager
#######################################
from airflow.www.security import AirflowSecurityManager
class CustomSecurityManager(AirflowSecurityManager):
def get_oauth_user_info(self, provider, resp):
if provider == "github":
user_data = self.appbuilder.sm.oauth_remotes[provider].get("user").json()
emails_data = self.appbuilder.sm.oauth_remotes[provider].get("user/emails").json()
teams_data = self.appbuilder.sm.oauth_remotes[provider].get("user/teams").json()
# unpack the user's name
first_name = ""
last_name = ""
name = user_data.get("name", "").split(maxsplit=1)
if len(name) == 1:
first_name = name[0]
elif len(name) == 2:
first_name = name[0]
last_name = name[1]
# unpack the user's email
email = ""
for email_data in emails_data:
if email_data["primary"]:
email = email_data["email"]
break
# unpack the user's teams as role_keys
# NOTE: each role key will be "my-github-org/my-team-name"
role_keys = []
for team_data in teams_data:
team_org = team_data["organization"]["login"]
team_slug = team_data["slug"]
team_ref = team_org + "/" + team_slug
role_keys.append(team_ref)
return {
"username": "github_" + user_data.get("login", ""),
"first_name": first_name,
"last_name": last_name,
"email": email,
"role_keys": role_keys,
}
else:
return {}
#######################################
# Actual `webserver_config.py`
#######################################
from flask_appbuilder.security.manager import AUTH_OAUTH
# only needed for airflow 1.10
#from airflow import configuration as conf
#SQLALCHEMY_DATABASE_URI = conf.get("core", "SQL_ALCHEMY_CONN")
AUTH_TYPE = AUTH_OAUTH
SECURITY_MANAGER_CLASS = CustomSecurityManager
# registration configs
AUTH_USER_REGISTRATION = True # allow users who are not already in the FAB DB
AUTH_USER_REGISTRATION_ROLE = "Public" # this role will be given in addition to any AUTH_ROLES_MAPPING
# the list of providers which the user can choose from
OAUTH_PROVIDERS = [
{
"name": "github",
"icon": "fa-github",
"token_key": "access_token",
"remote_app": {
"client_id": "", # Github Client ID
"client_secret": "", # Github Client Secret
"api_base_url": "https://api.github.com",
"client_kwargs": {"scope": "read:org read:user user:email"},
"access_token_url": "https://github.com/login/oauth/access_token",
"authorize_url": "https://github.com/login/oauth/authorize",
},
},
]
# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
AUTH_ROLES_MAPPING = {
"Org/Team": ["User"],
"Org/Team": ["Admin"],
}
# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
# 참조
728x90
728x90
'공부 > Open Source' 카테고리의 다른 글
[ArgoCD/helm] Github OAuth 붙이기 (0) | 2023.11.05 |
---|---|
[Jenkins/helm] Github OAuth 붙이기 (0) | 2023.11.05 |
[superset/helm] Google OAuth 붙이기 (0) | 2023.11.05 |
[ArgoCD] multiple sources 사용하기 (1) | 2023.11.03 |
[ArgoCD] repo-server PVC 붙이기 (w. Terraform) (0) | 2023.11.03 |
댓글