miguel-saca opened a new pull request, #31821:
URL: https://github.com/apache/superset/pull/31821
### SUMMARY
This PR integrates Keycloak authentication into Superset. The changes
include:
- Modification of configuration files in `docker/pythonpath_dev/` (i.e.
`superset_config.py` and `keycloak_security_manager.py`) to support Keycloak
integration.
- Implementation of Single Logout (SLO) by retrieving the ID token after
authentication and using it during logout.
- Adjustment of new user role assignment: Instead of hardcoding the role to
"Gamma", new users are now assigned the role defined in the environment
variable `AUTH_USER_REGISTRATION_ROLE`. This allows production settings (e.g.,
setting `AUTH_USER_REGISTRATION_ROLE=Admin`) to be used without changing code.
- Updates to various Docker Compose manifests (`docker-compose.yml`,
`docker-compose-non-dev.yml`, and `docker-compose-image-tag.yml`) and the
`.env` file to properly reflect the changes for production deployment.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
_N/A (no UI changes)_
### TESTING INSTRUCTIONS
1. Run `pre-commit run --all-files` locally to ensure no linting or
type-check errors occur.
2. Using the development environment:
- Spin up the Superset stack via `docker-compose -f
docker-compose-image-tag.yml up -d`.
- Authenticate through Keycloak and verify that:
- Upon first login, the new user is created with the role defined in
the `AUTH_USER_REGISTRATION_ROLE` environment variable.
- The ID token is correctly stored in the session and used during
logout.
- Logout correctly logs the user out on both Superset and Keycloak
(i.e., the session is cleared).
3. Verify logs and check that the application behaves as expected regarding
role assignment and logout flow.
### ADDITIONAL INFORMATION
- [ ] Has associated issue: _<if applicable, include issue reference, e.g.,
Fixes #123>_
- [ ] Required feature flags: _None_
- [ ] Changes UI: _No_
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351)):
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API: _Yes – Keycloak integration with Single
Logout and configurable role assignment_
- [ ] Removes existing feature or API: _No_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
