我正在尝试将 Azure EntraID 身份验证与 Airflow [2.9.3] 集成。身份验证已完成,但授权出现错误,例如“登录请求被拒绝。”。我正在使用 Helm Chart [1.15.0] 进行部署。
我已在 Azure 中创建了以下安全组。
airflow_nonprod_admin
airflow_nonprod_op
airflow_nonprod_viewer
在 Azure 企业应用程序中,单点登录下的 SAML 配置如下..
Identifier (Entity ID) :: https://airflow.xyz.com/
Reply URL (Assertion Consumer Service URL) :: https://airflow.xyz.com/oauth-authorized/azure
Sign on URL :: https://airflow.xyz.com/login/
Relay State (Optional) :: https://airflow.xyz.com/home
Logout Url (Optional) :: https://airflow.xyz.com/logout
airflow webserverconfig 代码片段如下
from __future__ import annotations
import os
from airflow.www.fab_security.manager import AUTH_OAUTH
# from airflow.www.security import AirflowSecurityManager
from airflow.auth.managers.fab.security_manager.override import FabAirflowSecurityManagerOverride
from airflow.utils.log.logging_mixin import LoggingMixin
basedir = os.path.abspath(os.path.dirname(__file__))
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None
AAD_TENANT_ID = <tenant id>
AAD_CLIENT_ID = <APP Registration client id>
AAD_CLIENT_SECRET = <App Registration client secret>
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [{
'name':'azure',
'token_key':'access_token',
'icon':'fa-windows',
'remote_app': {
'api_base_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}",
'client_kwargs': {
"scope": "User.read name preferred_username email profile upn",
"resource": f"{AAD_CLIENT_ID}",
# Optionally enforce signature JWT verification
"verify_signature": False
},
'request_token_url': None,
'request_token_params': {
'scope': 'openid email profile'
},
'access_token_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/token",
"access_token_params": {
'scope': 'openid email profile'
},
'authorize_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/authorize",
"authorize_params": {
'scope': 'openid email profile'
},
'client_id': f"{AAD_CLIENT_ID}",
'client_secret': f"{AAD_CLIENT_SECRET}",
'jwks_uri': 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
'redirect_uri': 'https://airflow.xyz.com/oauth-authorized/azure'
}
}]
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_USER_REGISTRATION = True
AUTH_ROLES_SYNC_AT_LOGIN = True
# First you MUST create a role like"Admin with value Admin" in the App Registration "App Roles" section in the Azure Portal under Microsoft Entra ID.
# Then groups MUST be linked from the Microsoft Entra ID "Enterprise Application" section in the Azure Portal under the "Users and Groups" section.
# Each groups or users MUST be assigned a role e.g.: Admin, Op, Viewer in the "Users and Groups"
AUTH_ROLES_MAPPING = {
"airflow_nonprod_admin": ["Admin"],
"airflow_nonprod_op": ["Op"],
"airflow_nonprod_viewer": ["Viewer"],
}
class AzureCustomSecurity(FabAirflowSecurityManagerOverride, LoggingMixin):
def get_oauth_user_info(self, provider, response=None):
self.log.debug(f"Parsing JWT token for provider : {provider}")
try: # the try and except are optional - strictly you only need the me= line.
me = super().get_oauth_user_info(provider, response)
except Exception as e:
import traceback
traceback.print_exc()
self.log.debug(e)
self.log.debug(f"Parse JWT token : {me}")
return {
"name": me["userprincipalname"],
"email": me["mail"],
"first_name": me["givenname"],
"last_name": me["surname"],
"id": me["userprincipalname"],
"username": me["givenname"],
"role_keys": me["groups"]
}
# the first of these two appears to work with older Airflow versions, the latter newer.
FAB_SECURITY_MANAGER_CLASS = 'webserver_config.AzureCustomSecurity'
SECURITY_MANAGER_CLASS = AzureCustomSecurity
在所有参数中添加User.Read后,如下所示,它可以工作。
OAUTH_PROVIDERS = [{
'名称':'蔚蓝',
'token_key':'access_token',
'图标':'fa-windows',
'远程应用程序':{
'api_base_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/",
'client_kwargs':{
"scope": "User.read name Preferred_username email profile upn",
“资源”:f“{AAD_CLIENT_ID}”,
# 可选择强制执行签名 JWT 验证
“验证签名”:错误
},
'request_token_url':无,
'request_token_params':{
'scope': 'User.read openid 电子邮件配置文件'
},
'access_token_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/token",
“access_token_params”:{
'scope': 'User.read openid 电子邮件配置文件',
},
'authorize_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/authorize",
“授权参数”:{
'scope': 'User.read openid 电子邮件配置文件',
},
'client_id': f"{AAD_CLIENT_ID}",
'client_secret': f"{AAD_CLIENT_SECRET}",
'jwks_uri': 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
'redirect_url': 'https://airflow.xyz.com/oauth-authorized/azure',
}
}]