search

apache / superset

Apache Superset is a Data Visualization and Data Exploration Platform
https://superset.apache.org/
Apache License 2.0
62.81k stars 13.88k forks source link

upgrade to superset 3.0.0 (helmchart 0.10.10) breaks okta integration (working in superset 2.1.0 helmchart 0.10.6) #25650

Open arpitgargfk opened 1 year ago

arpitgargfk commented 1 year ago

We are using okta integration in superset and it works perfectly in superset v 2.1.0 (we use helm chart 0.10.6). We use CustomSsoSecurityManager() for our okta integration and we have faced no issues so far. However recently we upgraded to superset v 3.0.0 via helmchart 0.10.10 and we found that our okta integration breaks. When we try to login to superset on clicking login option - we continue to get redirected back to login screen with below error mentioned in superset pod log (on kubernetes) Expected result - is that user should get logged to superset and should be able to access sqllab feature

Error in logs

ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response."

Okta configuration used in superset_config_overrides.py file are below

class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider="okta", response=None):
        if provider == "okta":
            res = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
            me = res.json()
            -- if user is attached to a group that starts with superset
            -- use that group else use SUPERSET_PUBLIC
            superset_groups = []
            if "groups" in me:
                for g in me["groups"]:
                    if "SUPERSET" in g:
                        superset_groups.append(g)

            if not superset_groups:
                superset_groups.append("SUPERSET_PUBLIC")
            return {
                "username": me["email"],
                "name": me["name"],
                "email": me["email"],
                "first_name": me["given_name"],
                "last_name": me["family_name"],
                "role_keys": superset_groups,
            }

OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
OKTA_KEY = get_env_variable("OKTA_KEY")
OKTA_SECRET = get_env_variable("OKTA_SECRET")
AUTH_TYPE = AUTH_OAUTH
-- registration configs
AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB

the list of providers which the user can choose from
OAUTH_PROVIDERS = [
    {
        "name": "okta",
        "icon": "fa-circle-o",
        "token_key": "access_token",
        "remote_app": {
            "client_id": OKTA_KEY,
            "client_secret": OKTA_SECRET,
            "api_base_url": OKTA_DOMAIN + "/oauth2/v1/",
            "client_kwargs": {"scope": "openid profile email groups"},
            "access_token_url": OKTA_DOMAIN + "/oauth2/v1/token",
            "authorize_url": OKTA_DOMAIN + "/oauth2/v1/authorize",
            "server_metadata_url": OKTA_DOMAIN
            + "/.well-known/openid-configuration",
        },
    },
]

-- if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
-- force users to re-auth after 3hours of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = int(get_env_variable("USER_IDLE_SESSION_TIME", 10800))
-- okta user groups to SuperSet role mapping
AUTH_ROLES_MAPPING = {
    "SUPERSET_PUBLIC": ["Public", "Alpha", "Gamma", "sql_lab"],
    "SUPERSET_ADMINS": ["Admin"],
}
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
sfirke commented 1 year ago

Possible duplicate of https://github.com/apache/superset/issues/24579. Between 2.1.0 and 3.0.0 several security settings were tightened by default. If you weren't specifying these, perhaps that's the issue. See the workarounds discussed in that thread.

codebat-hasan commented 1 year ago 
 # Create a custom view to authenticate the user
    AuthRemoteUserView=BaseSecurityManager.authremoteuserview
    class CustomAuthUserView(AuthRemoteUserView):
        @expose('/login/')
        def login(self):
            token = request.args.get('token')
            next = request.args.get('next')
            sm = self.appbuilder.sm
            session = sm.get_session
            user = session.query(sm.user_model).filter_by(username='admin').first()
            if token == 'some token':
                login_user(user, remember=False, force=True)
                if (next is not None):
                    return redirect(next)
                else:
                    return redirect(self.appbuilder.get_url_for_index)
            else:
                flash('Unable to auto login', 'warning')
                return super(CustomAuthUserView,self).login()

I have added this code in my-values.yml file to create custom login with token but this login is not working with version 3.0.1 but it was perfectly working fine with version 2.0.

rusackas commented 7 months ago

Are either of you (@arpitgargfk or @codebat-hasan) still facing issues here - it's been about 5 months, so I'm wondering if newer helm charts solved the problem or if you've moved on in some other way.

arpitgargfk commented 7 months ago

We used https://github.com/apache/superset/issues/25374#issuecomment-1735702931 and it worked, however we are still running with v2.1.0 in production.