GitHub user PatBriPerso created a discussion: Use keycloak as OIDC/IdP provider 
but cannot access to users list

I setup superset to authenticate the users with keycloak as IdP.
I'm able to connect to superset after validating a login/pwd on keycloak but I 
cannot access the users list page (/users/list) as an Admin.

#### How to reproduce the bug

Setup superset as described in "Additional context".
Connect to superset through keycloak as an Admin
Click on the menu Settings > List Users

### Expected results

See the users list

### Actual results

I'm back on the welcome page (/superset/welcome/) with a message saying "Access 
is Denied".

#### Screenshots

n/a

### Environment

(please complete the following information):

- browser type and version: 
Brave Version 1.37.109 Chromium: 100.0.4896.60 (Build officiel) (64 bits)
- superset version: `superset version`
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Superset 1.4.2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
- python version: `python --version`
Python 3.8.12
- node.js version: `node -v`
n/a
- any feature flags active:
ALERT_REPORTS

### Checklist

Make sure to follow these steps before submitting your issue - thank you!

- [X] I have checked the superset logs for python stacktraces and included it 
here as text if there are any.
No stacktrace
- [X] I have reproduced the issue with at least the latest released version of 
superset.
- [X] I have checked the issue tracker for the same issue and I haven't found 
one similar.

### Additional context

I have a keycloak setup with the url: https://auth.mydomain.com/
I create a realm named "demo" and a user on this realm.
I add a client named "superset" (client ID) on this realm with a Client 
Protocol "openid-connect" and a Root URL "https://superset.demo.mydomain.com/";

My superset is accessible with the url: https://superset.demo.mydomain.com/

I use the Docker version of superset deployed on a Docker Swarm cluster. I use 
Traefik to route the HTTP requests to the containers (superset and keycloak).

To setup superset with keycloak, I follow these posts:
- https://github.com/apache/superset/discussions/13915
- 
https://stackoverflow.com/questions/54010314/using-keycloakopenid-connect-with-apache-superset/54024394#54024394

But I modify some files so I describe below my whole configuration.

Content of `/app/docker/requirements-local.txt`:
```
clickhouse-driver>=0.2.0
clickhouse-sqlalchemy>=0.1.6,<0.2.0
mysql-connector-python
flask-oidc==1.3.0
```
The first 2 packages are used to connect to my clickhouse database. The third 
one is used to have the superset database on MySQL (instead of postgres).
Only the fourth one is related to keycloak to enable OIDC (OpenID Connect).


Content of `/app/pythonpath/superset_config.py`:
```python
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
# This file is included in the final Docker image and SHOULD be overridden when
# deploying the image to prod. Settings configured here are intended for use in 
local
# development environments. Also note that superset_config_docker.py is imported
# as a final step as a means to override "defaults" configured here
#
import logging
import os
from datetime import timedelta
from typing import Optional

from cachelib.file import FileSystemCache
from celery.schedules import crontab

logger = logging.getLogger()


def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
    """Get the environment variable or raise exception."""
    try:
        return os.environ[var_name]
    except KeyError:
        if default is not None:
            return default
        else:
            error_msg = "The environment variable {} was missing, 
abort...".format(
                var_name
            )
            raise EnvironmentError(error_msg)


DATABASE_DIALECT = get_env_variable("DATABASE_DIALECT")
DATABASE_USER = get_env_variable("DATABASE_USER")
DATABASE_PASSWORD = get_env_variable("DATABASE_PASSWORD")
DATABASE_HOST = get_env_variable("DATABASE_HOST")
DATABASE_PORT = get_env_variable("DATABASE_PORT")
DATABASE_DB = get_env_variable("DATABASE_DB")

# The SQLAlchemy connection string.
SQLALCHEMY_DATABASE_URI = "%s://%s:%s@%s:%s/%s" % (
    DATABASE_DIALECT,
    DATABASE_USER,
    DATABASE_PASSWORD,
    DATABASE_HOST,
    DATABASE_PORT,
    DATABASE_DB,
)

REDIS_HOST = get_env_variable("REDIS_HOST")
REDIS_PORT = get_env_variable("REDIS_PORT")
REDIS_CELERY_DB = get_env_variable("REDIS_CELERY_DB", "0")
REDIS_RESULTS_DB = get_env_variable("REDIS_RESULTS_DB", "1")

##### Change from original file
#RESULTS_BACKEND = FileSystemCache("/app/superset_home/sqllab")
# Put results on Redis not on a file that is not shared among container on 
Swarm stack
from cachelib.redis import RedisCache
RESULTS_BACKEND = RedisCache(host=REDIS_HOST, port=REDIS_PORT, 
key_prefix='superset_results')
##### End of change

class CeleryConfig(object):
    BROKER_URL = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"
    CELERY_IMPORTS = ("superset.sql_lab", "superset.tasks")
    CELERY_RESULT_BACKEND = 
f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_RESULTS_DB}"
    CELERYD_LOG_LEVEL = "DEBUG"
    CELERYD_PREFETCH_MULTIPLIER = 1
    CELERY_ACKS_LATE = False
    CELERYBEAT_SCHEDULE = {
        "reports.scheduler": {
            "task": "reports.scheduler",
            "schedule": crontab(minute="*", hour="*"),
        },
        "reports.prune_log": {
            "task": "reports.prune_log",
            "schedule": crontab(minute=10, hour=0),
        },
    }


CELERY_CONFIG = CeleryConfig

FEATURE_FLAGS = {"ALERT_REPORTS": True}
ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
WEBDRIVER_BASEURL = "http://superset:8088/";
# The base URL for the email report hyperlinks.
WEBDRIVER_BASEURL_USER_FRIENDLY = WEBDRIVER_BASEURL

SQLLAB_CTAS_NO_LIMIT = True

#
# Optionally import superset_config_docker.py (which will have been included on
# the PYTHONPATH) in order to allow for local settings to be overridden
#
try:
    import superset_config_docker
    from superset_config_docker import *  # noqa

    logger.info(
        f"Loaded your Docker configuration at " 
f"[{superset_config_docker.__file__}]"
    )
except ImportError:
    logger.info("Using default Docker config...")
```

Content of `/app/pythonpath/superset_config_docker.py`:
```python
import os
from typing import Optional

def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
    """Get the environment variable or raise exception."""
    try:
        return os.environ[var_name]
    except KeyError:
        if default is not None:
            return default
        else:
            error_msg = "The environment variable {} was missing, 
abort...".format(
                var_name
            )
            raise EnvironmentError(error_msg)


# The allowed translation for you app
LANGUAGES = {
    "en": {"flag": "us", "name": "English"},
    #"es": {"flag": "es", "name": "Spanish"},
    #"it": {"flag": "it", "name": "Italian"},
    "fr": {"flag": "fr", "name": "French"},
    #"zh": {"flag": "cn", "name": "Chinese"},
    #"ja": {"flag": "jp", "name": "Japanese"},
    #"de": {"flag": "de", "name": "German"},
    #"pt": {"flag": "pt", "name": "Portuguese"},
    #"pt_BR": {"flag": "br", "name": "Brazilian Portuguese"},
    #"ru": {"flag": "ru", "name": "Russian"},
    #"ko": {"flag": "kr", "name": "Korean"},
    #"sk": {"flag": "sk", "name": "Slovak"},
    #"sl": {"flag": "si", "name": "Slovenian"},
}

ENABLE_PROXY_FIX = True

#---------------------------KEYCLOACK ----------------------------
# See: https://github.com/apache/superset/discussions/13915
# See: 
https://stackoverflow.com/questions/54010314/using-keycloakopenid-connect-with-apache-superset/54024394#54024394

from keycloak_security_manager  import  OIDCSecurityManager
from flask_appbuilder.security.manager import AUTH_OID

OIDC_ENABLE = get_env_variable("OIDC_ENABLE", 'False')

if OIDC_ENABLE == 'True':
    AUTH_TYPE = AUTH_OID
    SECRET_KEY = get_env_variable("SECRET_KEY", 'ChangeThisKeyPlease')
    OIDC_CLIENT_SECRETS = get_env_variable("OIDC_CLIENT_SECRETS", 
'/app/pythonpath/client_secret.json')
    OIDC_ID_TOKEN_COOKIE_SECURE = False
    OIDC_REQUIRE_VERIFIED_EMAIL = False
    OIDC_OPENID_REALM = get_env_variable("OIDC_OPENID_REALM")
    OIDC_INTROSPECTION_AUTH_METHOD = 'client_secret_post'
    CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = 
get_env_variable("AUTH_USER_REGISTRATION_ROLE", 'Admin')
#--------------------------------------------------------------
```

Content of `/app/pythonpath/keycloak_security_manager.py`:
```python
from flask_appbuilder.security.manager import AUTH_OID
from superset.security import SupersetSecurityManager
from flask_oidc import OpenIDConnect
from flask_appbuilder.security.views import AuthOIDView
from flask_login import login_user
from urllib.parse import quote
from flask_appbuilder.views import ModelView, SimpleFormView, expose
import logging
from flask import redirect, request


class OIDCSecurityManager(SupersetSecurityManager):

    def __init__(self, appbuilder):
        super(OIDCSecurityManager, self).__init__(appbuilder)
        if self.auth_type == AUTH_OID:
            self.oid = OpenIDConnect(self.appbuilder.get_app)
        self.authoidview = AuthOIDCView

class AuthOIDCView(AuthOIDView):

    @expose('/login/', methods=['GET', 'POST'])
    def login(self, flag=True):
        sm = self.appbuilder.sm
        oidc = sm.oid

        @self.appbuilder.sm.oid.require_login
        def handle_login():
            user = sm.auth_user_oid(oidc.user_getfield('email'))

            if user is None:
                info = oidc.user_getinfo(['preferred_username', 'given_name', 
'family_name', 'email'])
                user = sm.add_user(info.get('preferred_username'), 
info.get('given_name'), info.get('family_name'),
                                   info.get('email'), sm.find_role('Admin'))

            login_user(user, remember=False)
            return redirect(self.appbuilder.get_url_for_index)

        return handle_login()

    @expose('/logout/', methods=['GET', 'POST'])
    def logout(self):
        oidc = self.appbuilder.sm.oid

        oidc.logout()
        super(AuthOIDCView, self).logout()
        redirect_url = request.url_root.strip('/') + 
self.appbuilder.get_url_for_login

        return redirect(
            oidc.client_secrets.get('issuer') + 
'/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))
```

Content of `/app/pythonpath/client_secret.json`:
```json
{
  "web": {
      "issuer": "https://auth.mydomain.com/realms/demo";,
      "auth_uri": 
"https://auth.mydomain.com/realms/demo/protocol/openid-connect/auth";,
      "client_id": "superset",
      "client_secret": "<Client Secret>",
      "redirect_uris": [
          "https://superset.demo.mydomain.com/*";
      ],
      "userinfo_uri": 
"https://auth.mydomain.com/realms/demo/protocol/openid-connect/userinfo";,
      "token_uri": 
"https://auth.mydomain.com/realms/demo/protocol/openid-connect/token";,
      "token_introspection_uri": 
"https://auth.mydomain.com/realms/demo/protocol/openid-connect/token/introspect";
  }
}
```
The environment variables I pass to my Docker Swarm service:
```
FLASK_ENV=production
SUPERSET_ENV=production
SUPERSET_LOAD_EXAMPLES=no
CYPRESS_CONFIG=false
SUPERSET_PORT=8088
OIDC_ENABLE=True
OIDC_OPENID_REALM=demo
```
NOTA: I remove my environment variables related to mysql and redis.

Thanks for your help. Tell me if some information is missing.


GitHub link: https://github.com/apache/superset/discussions/34659

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to