Airflow 错误 - 授权 OAuth 访问令牌时出错:无效的 JSON Web 密钥集。 [登录请求被拒绝。]

问题描述 投票:0回答:1

我正在尝试将 Azure EntraID 身份验证与 Airflow [2.9.3] 集成。身份验证已完成,但授权出现错误,例如“登录请求被拒绝。”。我正在使用 Helm Chart [1.15.0] 进行部署。

Pod 错误日志

气流访问错误

我已在 Azure 中创建了以下安全组。

airflow_nonprod_admin
airflow_nonprod_op
airflow_nonprod_viewer

在 Azure 企业应用程序中,单点登录下的 SAML 配置如下..

Identifier (Entity ID) :: https://airflow.xyz.com/
Reply URL (Assertion Consumer Service URL) :: https://airflow.xyz.com/oauth-authorized/azure
Sign on URL :: https://airflow.xyz.com/login/
Relay State (Optional) :: https://airflow.xyz.com/home
Logout Url (Optional) :: https://airflow.xyz.com/logout

airflow webserverconfig 代码片段如下

            from __future__ import annotations

            import os

            from airflow.www.fab_security.manager import AUTH_OAUTH
            # from airflow.www.security import AirflowSecurityManager
            from airflow.auth.managers.fab.security_manager.override import FabAirflowSecurityManagerOverride
            from airflow.utils.log.logging_mixin import LoggingMixin

            basedir = os.path.abspath(os.path.dirname(__file__))

            # Flask-WTF flag for CSRF
            WTF_CSRF_ENABLED = True
            WTF_CSRF_TIME_LIMIT = None
            AAD_TENANT_ID = <tenant id>
            AAD_CLIENT_ID = <APP Registration client id>
            AAD_CLIENT_SECRET = <App Registration client secret>

            AUTH_TYPE = AUTH_OAUTH

            OAUTH_PROVIDERS = [{
                'name':'azure',
                'token_key':'access_token',
                'icon':'fa-windows',
                'remote_app': {
                    'api_base_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}",
                    'client_kwargs': {
                        "scope": "User.read name preferred_username email profile upn",
                        "resource": f"{AAD_CLIENT_ID}",
                        # Optionally enforce signature JWT verification
                        "verify_signature": False
                    },            
                    'request_token_url': None,
                    'request_token_params': {
                        'scope': 'openid email profile'
                    },
                    'access_token_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/token",
                    "access_token_params": {
                        'scope': 'openid email profile'
                    },
                    'authorize_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/authorize",
                    "authorize_params": {
                        'scope': 'openid email profile'
                    },
                    'client_id': f"{AAD_CLIENT_ID}",
                    'client_secret': f"{AAD_CLIENT_SECRET}",
                    'jwks_uri': 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
                    'redirect_uri': 'https://airflow.xyz.com/oauth-authorized/azure'            
                }
            }]

            AUTH_USER_REGISTRATION_ROLE = "Public"
            AUTH_USER_REGISTRATION = True
            AUTH_ROLES_SYNC_AT_LOGIN = True
            # First you MUST create a role like"Admin with value Admin" in the App Registration "App Roles" section in the Azure Portal under Microsoft Entra ID.
            # Then groups MUST be linked from the Microsoft Entra ID "Enterprise Application" section in the Azure Portal under the "Users and Groups" section.
            # Each groups or users MUST be assigned a role e.g.: Admin, Op, Viewer in the "Users and Groups"
            AUTH_ROLES_MAPPING = {
                "airflow_nonprod_admin": ["Admin"],
                "airflow_nonprod_op": ["Op"],
                "airflow_nonprod_viewer": ["Viewer"],
            }

            class AzureCustomSecurity(FabAirflowSecurityManagerOverride, LoggingMixin):
                def get_oauth_user_info(self, provider, response=None):
                    self.log.debug(f"Parsing JWT token for provider : {provider}")

                    try:   # the try and except are optional - strictly you only need the me= line.
                        me = super().get_oauth_user_info(provider, response)
                    except Exception as e:
                        import traceback
                        traceback.print_exc()
                        self.log.debug(e)

                    self.log.debug(f"Parse JWT token : {me}")
                    return {
                        "name": me["userprincipalname"],
                        "email": me["mail"],
                        "first_name": me["givenname"],
                        "last_name": me["surname"],
                        "id": me["userprincipalname"],
                        "username": me["givenname"],
                        "role_keys": me["groups"]
                    }

            # the first of these two appears to work with older Airflow versions, the latter newer.
            FAB_SECURITY_MANAGER_CLASS = 'webserver_config.AzureCustomSecurity'
            SECURITY_MANAGER_CLASS = AzureCustomSecurity
azure-active-directory airflow azure-aks airflow-2.x airflow-webserver
1个回答
0
投票

在所有参数中添加User.Read后,如下所示,它可以工作。

OAUTH_PROVIDERS = [{ '名称':'蔚蓝', 'token_key':'access_token', '图标':'fa-windows', '远程应用程序':{ 'api_base_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/", 'client_kwargs':{ "scope": "User.read name Preferred_username email profile upn", “资源”:f“{AAD_CLIENT_ID}”, # 可选择强制执行签名 JWT 验证 “验证签名”:错误 },
'request_token_url':无, 'request_token_params':{ 'scope': 'User.read openid 电子邮件配置文件' }, 'access_token_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/token", “access_token_params”:{ 'scope': 'User.read openid 电子邮件配置文件', }, 'authorize_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/authorize", “授权参数”:{ 'scope': 'User.read openid 电子邮件配置文件', }, 'client_id': f"{AAD_CLIENT_ID}", 'client_secret': f"{AAD_CLIENT_SECRET}", 'jwks_uri': 'https://login.microsoftonline.com/common/discovery/v2.0/keys', 'redirect_url': 'https://airflow.xyz.com/oauth-authorized/azure', } }]

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.