问题描述

限时删除！！

我正在使用 Airflow 设置 RBAC，并在本地进行测试以开始.我已经通过控制台预置了一个 AWS Cognito 用户组.此外，我有一个 webserver_config.py 文件，我已安装到我的 Airflow docker 容器中，以使用 RBAC 设置 OAuth.

我的 webserver_config.py 文件中的相关部分:

COGNITO_URL = os.getenv('COGNITO_URL')CONSUMER_KEY = os.getenv('COGNITO_CLIENT_KEY')SECRET_KEY = os.getenv('COGNITO_CLIENT_SECRET')# 当使用 OAuth Auth 时，取消设置提供者信息的注释# 谷歌 OAuth 示例:OAUTH_PROVIDERS = [{'name':'AWS Cognito','白名单': ['@company.com'], # 可选'token_key':'access_token','icon':'fa-amazon','remote_app':{'base_url': os.path.join(COGNITO_URL, 'oauth2/idpresponse'),# 'base_url': COGNITO_URL,'request_token_params':{范围":电子邮件配置文件"},'access_token_url': os.path.join(COGNITO_URL, 'oauth2/token'),'authorize_url': os.path.join(COGNITO_URL, 'oauth2/authorize'),'request_token_url':无，'consumer_key': CONSUMER_KEY,'consumer_secret': SECRET_KEY,}}]

变量如下:

COGNITO_URL:我在用户池的应用集成"部分创建的域名

COGNITO_CLIENT_KEY:我的用户池的应用客户端"部分中我的应用的应用客户端 ID

COGNITO_CLIENT_SECRET:我的用户池的App Clients"部分中我的应用程序的应用程序客户端密钥

在 Cognito UI 中，我的应用程序客户端有以下设置:在此处输入图片描述

基本上，我已经设置了端点，因为它们在测试时应该在我的本地机器上.我已经摆弄了 http://localhost:8083/oauth2/idpresponse 和 http://localhost:8083/admin(Airflow 的正常主页)路由和收到同样的错误.

我认为问题在于客户端尝试请求的 URI 与指定的 URI 不匹配.我尝试遵循 https://stackoverflow.com/a/53602884/13717098 上的建议，但是当我提取该 URI 时并将其保存在 Cognito 控制台中，我继续遇到相同的错误.我正在寻找帮助确定所需的 URI.我根据链接帖子确定的请求是:/oauth2/authorize?response_type=code&client_id=269vguq386076suj80vpq4ctmj&redirect_uri=http%3A%2F%2Flocalhost%3A8083%2Foauth-authorized%2Foauth-authorized%2Femail+profile&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuZXh0IjpbImh0dHA6Ly9sb2NhbGhvc3Q6ODA4My9ob21lIl19.CcuxpZyuVIqW1R>Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4My9ob21lIl19.

针对间距进行了编辑.

Flask 构建器库使用配置对象的名称作为 redirect_uri 中的值.

将回调值设置为:http://localhost:8083/oauth-authorized/AWS%20Cognito 而不是 http://localhost:8080/oauth2/idresponse在 AWS Cognito 客户端中.这应该可以解决重定向问题.

真正的问题将从 userinfo 端点开始，因为 AWS Cognito 使用 OpenID 身份验证模式.

aws-cognito-client

编辑

AWS Cognito 具有用于接收用户信息的 oauth2/userinfo 端点.要检索用户信息，您应该将 openid 范围与您的请求一起发送.以下是我的 webserver_config.py.

fromairflow.www_rbac.security import AirflowSecurityManager从flask_appbuilder.security.manager 导入AUTH_OAUTH导入操作系统导入json类 CognitoSecurity(AirflowSecurityManager):def oauth_user_info(self, provider, response=None):如果提供者 == aws_cognito":me = self.appbuilder.sm.oauth_remotes[provider].get("userInfo")数据 = json.loads(me.raw_data)打印(来自 aws_cognito 的用户信息:{0}".format(数据))return {"username": data.get("username"), "email": data.get("email")}别的:返回 {}AUTH_TYPE = AUTH_OAUTHAUTH_USER_REGISTRATION = 真AUTH_USER_REGISTRATION_ROLE = 管理员"COGNITO_URL = "";CONSUMER_KEY = "";SECRET_KEY = "OAUTH_PROVIDERS = [{'name':'aws_cognito','白名单': ['@positsource.com'], # 可选'token_key':'access_token',网址":COGNITO_URL，'icon': 'fa-amazon',远程应用程序":{'base_url': os.path.join(COGNITO_URL, 'oauth2/idpresponse'),'request_token_params':{范围":电子邮件配置文件 openid"},'access_token_url': os.path.join(COGNITO_URL, 'oauth2/token'),'authorize_url': os.path.join(COGNITO_URL, 'oauth2/authorize'),'request_token_url':无，'consumer_key': CONSUMER_KEY,'consumer_secret': SECRET_KEY,}}]SECURITY_MANAGER_CLASS = 认知安全

这应该使气流网络服务器与 AWS cognito 一起工作.角色和权限管理可以由您完成.

I am setting up RBAC with Airflow, and testing locally to start. I have provisioned an AWS Cognito User Group via the console. Additionally, I have a webserver_config.py file I have mounted to my Airflow docker container to set up OAuth with RBAC.

Relevant section in my webserver_config.py file:

COGNITO_URL = os.getenv('COGNITO_URL')
CONSUMER_KEY = os.getenv('COGNITO_CLIENT_KEY')
SECRET_KEY = os.getenv('COGNITO_CLIENT_SECRET')

# When using OAuth Auth, uncomment to setup provider(s) info
# Google OAuth example:
OAUTH_PROVIDERS = [{
  'name':'AWS Cognito',
    'whitelist': ['@company.com'],  # optional
    'token_key':'access_token',
    'icon':'fa-amazon',
        'remote_app': {
            'base_url': os.path.join(COGNITO_URL, 'oauth2/idpresponse'),
            # 'base_url': COGNITO_URL,
            'request_token_params':{
                'scope': 'email profile'
            },
            'access_token_url': os.path.join(COGNITO_URL, 'oauth2/token'),
            'authorize_url': os.path.join(COGNITO_URL, 'oauth2/authorize'),
            'request_token_url': None,
            'consumer_key': CONSUMER_KEY,
            'consumer_secret': SECRET_KEY,
        }
}]

Variables are as follows:

COGNITO_URL: The domain name I have created in the "App Integration" section of my user pool

COGNITO_CLIENT_KEY: The app client id for my app in the "App Clients" section of my user pool

COGNITO_CLIENT_SECRET: The app client secret for my app in the "App Clients" section of my user pool

In the Cognito UI, I have the following settings for my App Client:enter image description here

Basically, I have set the endpoints as they should be on my local machine when testing. I have fiddled with both the http://localhost:8083/oauth2/idpresponse and http://localhost:8083/admin (normal home page for Airflow) routes and received the same error.

I think that the issue is that the URI the client is trying to request and the URI specified do not match. I tried following the advice at https://stackoverflow.com/a/53602884/13717098, but when I extracted that URI and saved it in the Cognito console, I continue to get the same error. I am looking for help identifying the URI needed. The request I've identified per the linked post is: /oauth2/authorize?response_type=code&client_id=269vguq386076suj80vpq4ctmj&redirect_uri=http%3A%2F%2Flocalhost%3A8083%2Foauth-authorized%2FAWS%2520Cognito&scope=email+profile&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuZXh0IjpbImh0dHA6Ly9sb2NhbGhvc3Q6ODA4My9ob21lIl19.CcuxpZyuVIqW0GtnNL219Xkg1IftE0tzFiVilR6b4us I would appreciate any help with identifying the URI and/or its associated patterns.

Edited for spacing.

Flask builder library uses the name of the config object as value in redirect_uri.

Set callback value to: http://localhost:8083/oauth-authorized/AWS%20Cognito instead of http://localhost:8080/oauth2/idresponse in AWS Cognito client. This should solve the redirection issue.

The real problem will start for userinfo endpoint as AWS cognito uses OpenID auth pattern.

aws-cognito-client

EDIT

AWS Cognito has oauth2/userinfo endpoint for receiving user information. To retrieve the userinfo, you're supposed to send openid scope along with your request. Following is my webserver_config.py.

from airflow.www_rbac.security import AirflowSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH
import os
import json

class CognitoSecurity(AirflowSecurityManager):
    def oauth_user_info(self, provider, response=None):
        if provider == "aws_cognito":
            me = self.appbuilder.sm.oauth_remotes[provider].get("userInfo")
            data = json.loads(me.raw_data)
            print("User info from aws_cognito: {0}".format(data))
            return {"username": data.get("username"), "email": data.get("email")}
        else:
            return {}

AUTH_TYPE = AUTH_OAUTH

AUTH_USER_REGISTRATION = True

AUTH_USER_REGISTRATION_ROLE = "Admin"

COGNITO_URL = ""
CONSUMER_KEY = ""
SECRET_KEY = ""

OAUTH_PROVIDERS = [{
    'name':'aws_cognito',
    'whitelist': ['@positsource.com'],  # optional
    'token_key':'access_token',
    'url': COGNITO_URL,
    'icon': 'fa-amazon',
    'remote_app': {
        'base_url': os.path.join(COGNITO_URL, 'oauth2/idpresponse'),
        'request_token_params': {
            'scope': 'email profile openid'
        },
        'access_token_url': os.path.join(COGNITO_URL, 'oauth2/token'),
        'authorize_url': os.path.join(COGNITO_URL, 'oauth2/authorize'),
        'request_token_url': None,
        'consumer_key': CONSUMER_KEY,
        'consumer_secret': SECRET_KEY,
    }
}]

SECURITY_MANAGER_CLASS = CognitoSecurity

This should get the airflow webserver working with AWS cognito. Roles and permissions management can be done by you.