1

I am trying to use keycloak with apache superset. I have spent hours on the links below but unable to replace the current login.

  1. Using OpenID/Keycloak with Superset 2.Using KeyCloak(OpenID Connect) with Apache SuperSet
  2. Using OpenID/Keycloak with Superset

I am using apache superset 0.34.5. While above links use 0.28 and below.

i am confused at inital step. let me explain the steps and see what i am missing.

I install superset using pip.

The structure i have is, i have config.py and security.py at the same level (i dont have security folder)

I renamed the security to oid_security.

I created a security.py with the following content.

from flask_appbuilder.security.manager import AUTH_OID
from superset.security import SupersetSecurityManager
from flask_oidc import OpenIDConnect
from flask_appbuilder.security.views import AuthOIDView
from flask_login import login_user
from urllib.parse import quote
from flask_appbuilder.views import ModelView, SimpleFormView, expose
import logging

class AuthOIDCView(AuthOIDView):

    @expose('/login/', methods=['GET', 'POST'])
    def login(self, flag=True):
        sm = self.appbuilder.sm
        oidc = sm.oid

        @self.appbuilder.sm.oid.require_login
        def handle_login():
            user = sm.auth_user_oid(oidc.user_getfield('email'))

            if user is None:
                info = oidc.user_getinfo(['preferred_username', 'given_name', 'family_name', 'email'])
                user = sm.add_user(info.get('preferred_username'), info.get('given_name'), info.get('family_name'), info.get('email'), sm.find_role('Gamma'))

            login_user(user, remember=False)
            return redirect(self.appbuilder.get_url_for_index)

        return handle_login()

    @expose('/logout/', methods=['GET', 'POST'])
    def logout(self):

        oidc = self.appbuilder.sm.oid

        oidc.logout()
        super(AuthOIDCView, self).logout()
        redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login

        return redirect(oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))

class OIDCSecurityManager(SupersetSecurityManager):
    authoidview = AuthOIDCView
    def __init__(self,appbuilder):
        super(OIDCSecurityManager, self).__init__(appbuilder)
        if self.auth_type == AUTH_OID:
            self.oid = OpenIDConnect(self.appbuilder.get_app)

I then created custom manager with the following 

from flask_appbuilder.security.manager import AUTH_OID
from flask_appbuilder.security.sqla.manager import SecurityManager
from flask_oidc import OpenIDConnect
class OIDCSecurityManager(SecurityManager):

    def __init__(self, appbuilder):
        super(OIDCSecurityManager, self).__init__(appbuilder)
        if self.auth_type == AUTH_OID:
            self.oid = OpenIDConnect(self.appbuilder.get_app)
        self.authoidview = AuthOIDCView

I created client secret.json with my credentials. I edited config file as below. 

from superset.security import OIDCSecurityManager
AUTH_TYPE = AUTH_OID
OIDC_CLIENT_SECRETS = 'client_secret.json'
OIDC_ID_TOKEN_COOKIE_SECURE = False
OIDC_REQUIRE_VERIFIED_EMAIL = False
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Gamma'
CUSTOM_SECURITY_MANAGER = OIDCSecurityManager

One thing to mention here is have manager py in security folder in flask appbuilder which has Abstract Security Manager cls. I am getting an error security py

It says cannot import name SupersetSecurityManager from superset - security anyone please?

iqbal
  • 29
  • 4

2 Answers2

0

I suggest you start afresh and follow the steps that worked for me:

  1. Create a virtual environment within your superset directory and activate it.
  2. Install the flask-oidc and superset plugins within your virtual environment. pip install flask-oidc
  3. Have a oidc_security.py file with the script you pasted above i.e. security.py in your setup.
  4. Have a client_secret.json file with your keycloak config.
  5. Have a superset_config.py with the script you pasted above.
  6. Add all three of these files to your pythonpath.
  7. Run superset db upgrade & superset init commands.
  8. Finally, execute superset run. After the initialization completes, navigate to http://localhost:8088 on your browser. Expected behaviour: you'll be redirected to keycloak to login/register. After successful sign in, you'll be redirected to superset app.

I hope this helps. Do post back incase you succeed or face an error.

humble
  • 3
  • 3
  • still looking into it. now i am getting an internal server error say providers=self.appbuilder.sm.openid_providers, File "/home/basharat/PycharmProjects/ss_sso/venv/lib/python3.7/site-packages/flask_appbuilder/security/manager.py", line 420, in openid_providers return self.appbuilder.get_app.config["OPENID_PROVIDERS"] KeyError: 'OPENID_PROVIDERS' Its still going to security/manager.py while it should go to oidc_security.py. I think i am close. – iqbal Feb 11 '20 at 20:45
  • Seems like you really are close. Did you add the **oidc_security.py** file to your pythonpath? Because you shouldn't be getting that error if you did. – humble Feb 12 '20 at 08:31
0

I then created custom manager with the following

where to update this??

from flask_appbuilder.security.manager import AUTH_OID from flask_appbuilder.security.sqla.manager import SecurityManager from flask_oidc import OpenIDConnect class OIDCSecurityManager(SecurityManager):

def __init__(self, appbuilder):
    super(OIDCSecurityManager, self).__init__(appbuilder)
    if self.auth_type == AUTH_OID:
        self.oid = OpenIDConnect(self.appbuilder.get_app)
    self.authoidview = AuthOIDCView
nan jiang
  • 19
  • 1