FAB 認證管理器認證¶

預設情況下，FAB 認證管理器要求使用者在登入前指定密碼。您可以使用以下 CLI 命令建立帳戶

# create an admin user
airflow users create \
    --username admin \
    --firstname Peter \
    --lastname Parker \
    --role Admin \
    --email spiderman@superhero.org

要停用認證並允許使用者以匿名使用者身份識別，需要將 $AIRFLOW_HOME/webserver_config.py 檔案中的以下條目設定為匿名使用者預設擁有的所需角色

AUTH_ROLE_PUBLIC = 'Admin'

注意

Airflow 使用 Python 的配置解析器。此配置解析器會解析 ‘%’ 符號。請確保在您的配置檔案中（但不包括環境變數）將任何 % 符號轉義為 %%，否則 Airflow 可能會在配置解析器發生異常時將這些密碼洩露到日誌中。

密碼¶

最簡單的認證機制之一是要求使用者在登入前指定密碼。

請使用命令列介面 airflow users create 建立帳戶，或者在 UI 中進行操作。

其他方法¶

會自動生成一個 webserver_config.py 配置檔案，可用於配置 FAB 認證管理器以支援 OAuth、OpenID、LDAP、REMOTE_USER 等認證方法。需要注意的是，由於 Flask AppBuilder 和 Authlib 的限制，只支援一部分 OAuth2 提供商。此列表包括 github、githublocal、twitter、linkedin、google、azure、openshift、okta、keycloak 和 keycloak_before_17。

預設情況下，使用 $AIRFLOW_HOME/webserver_config.py 中的以下條目。

AUTH_TYPE = AUTH_DB

可以使用 WSGI 中介軟體來管理非常具體的認證形式（例如 SPNEGO），並利用 REMOTE_USER 方法

from typing import Any, Callable

from flask import current_app
from flask_appbuilder.const import AUTH_REMOTE_USER


class CustomMiddleware:
    def __init__(self, wsgi_app: Callable) -> None:
        self.wsgi_app = wsgi_app

    def __call__(self, environ: dict, start_response: Callable) -> Any:
        # Custom authenticating logic here
        # ...
        environ["REMOTE_USER"] = "username"
        return self.wsgi_app(environ, start_response)


current_app.wsgi_app = CustomMiddleware(current_app.wsgi_app)

AUTH_TYPE = AUTH_REMOTE_USER

另一種建立使用者的方式是在 UI 登入頁面，透過“註冊”按鈕允許使用者自行註冊。可以編輯 $AIRFLOW_HOME/webserver_config.py 中的以下條目以實現此功能

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Desired Role For The Self Registered User"
RECAPTCHA_PRIVATE_KEY = 'private_key'
RECAPTCHA_PUBLIC_KEY = 'public_key'

MAIL_SERVER = 'smtp.gmail.com'
MAIL_USE_TLS = True
MAIL_USERNAME = 'yourappemail@gmail.com'
MAIL_PASSWORD = 'passwordformail'
MAIL_DEFAULT_SENDER = 'sender@gmail.com'

需要透過 pip 安裝 Flask-Mail 包以允許使用者自行註冊，因為這是 Flask-AppBuilder 框架提供的一項功能。

為了支援透過第三方提供商進行認證，需要將 AUTH_TYPE 條目更新為所需的選項，例如 OAuth、OpenID、LDAP，並且需要移除所選選項的引用行的註釋並在 $AIRFLOW_HOME/webserver_config.py 中進行配置。

有關更多詳細資訊，請參閱 FAB 文件的安全性部分。

使用基於團隊的授權與 GitHub OAuth 的示例¶

使用基於團隊的授權與 GitHub OAuth 需要執行幾個步驟。

透過 webserver_config.py 中的 FAB 配置來配置 OAuth
建立自定義安全管理器類並在 webserver_config.py 中將其提供給 FAB
將您的安全管理器類返回的角色對映到 FAB 可理解的角色。

以下是您可能在 webserver_config.py 中擁有的內容示例

from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
from flask_appbuilder.security.manager import AUTH_OAUTH
import os

AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True  # Checks roles on every login
AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB to register

AUTH_ROLES_MAPPING = {
    "Viewer": ["Viewer"],
    "Admin": ["Admin"],
}
# If you wish, you can add multiple OAuth providers.
OAUTH_PROVIDERS = [
    {
        "name": "github",
        "icon": "fa-github",
        "token_key": "access_token",
        "remote_app": {
            "client_id": os.getenv("OAUTH_APP_ID"),
            "client_secret": os.getenv("OAUTH_APP_SECRET"),
            "api_base_url": "https://api.github.com",
            "client_kwargs": {"scope": "read:user, read:org"},
            "access_token_url": "https://github.com/login/oauth/access_token",
            "authorize_url": "https://github.com/login/oauth/authorize",
            "request_token_url": None,
        },
    },
]


class CustomSecurityManager(FabAirflowSecurityManagerOverride):
    pass


# Make sure to replace this with your own implementation of AirflowSecurityManager class
SECURITY_MANAGER_CLASS = CustomSecurityManager

以下是定義自定義安全管理器的示例。此類別必須在 Python 的路徑中可用，如果需要，也可以在 webserver_config.py 本身中定義。

from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
import logging
from typing import Any, List, Union
import os

log = logging.getLogger(__name__)
log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "INFO"))

FAB_ADMIN_ROLE = "Admin"
FAB_VIEWER_ROLE = "Viewer"
FAB_PUBLIC_ROLE = "Public"  # The "Public" role is given no permissions
TEAM_ID_A_FROM_GITHUB = 123  # Replace these with real team IDs for your org
TEAM_ID_B_FROM_GITHUB = 456  # Replace these with real team IDs for your org


def team_parser(team_payload: dict[str, Any]) -> list[int]:
    # Parse the team payload from GitHub however you want here.
    return [team["id"] for team in team_payload]


def map_roles(team_list: list[int]) -> list[str]:
    # Associate the team IDs with Roles here.
    # The expected output is a list of roles that FAB will use to Authorize the user.

    team_role_map = {
        TEAM_ID_A_FROM_GITHUB: FAB_ADMIN_ROLE,
        TEAM_ID_B_FROM_GITHUB: FAB_VIEWER_ROLE,
    }
    return list(set(team_role_map.get(team, FAB_PUBLIC_ROLE) for team in team_list))


class GithubTeamAuthorizer(FabAirflowSecurityManagerOverride):
    # In this example, the oauth provider == 'github'.
    # If you ever want to support other providers, see how it is done here:
    # https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550
    def get_oauth_user_info(self, provider: str, resp: Any) -> dict[str, Union[str, list[str]]]:
        # Creates the user info payload from Github.
        # The user previously allowed your app to act on their behalf,
        #   so now we can query the user and teams endpoints for their data.
        # Username and team membership are added to the payload and returned to FAB.

        remote_app = self.appbuilder.sm.oauth_remotes[provider]
        me = remote_app.get("user")
        user_data = me.json()
        team_data = remote_app.get("user/teams")
        teams = team_parser(team_data.json())
        roles = map_roles(teams)
        log.debug(f"User info from Github: {user_data}\nTeam info from Github: {teams}")
        return {"username": "github_" + user_data.get("login"), "role_keys": roles}

使用基於團隊的授權與 KeyCloak 的示例¶

以下是您可能在 webserver_config.py 中擁有的內容示例

import os
import jwt
import requests
import logging
from base64 import b64decode
from cryptography.hazmat.primitives import serialization
from flask_appbuilder.security.manager import AUTH_DB, AUTH_OAUTH
from airflow import configuration as conf
from airflow.www.security import AirflowSecurityManager

log = logging.getLogger(__name__)

AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_ROLES_SYNC_AT_LOGIN = True
AUTH_USER_REGISTRATION_ROLE = "Viewer"
OIDC_ISSUER = "https://sso.keycloak.me/realms/airflow"

# Make sure you create these role on Keycloak
AUTH_ROLES_MAPPING = {
    "Viewer": ["Viewer"],
    "Admin": ["Admin"],
    "User": ["User"],
    "Public": ["Public"],
    "Op": ["Op"],
}

OAUTH_PROVIDERS = [
    {
        "name": "keycloak",
        "icon": "fa-key",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "airflow",
            "client_secret": "xxx",
            "server_metadata_url": "https://sso.keycloak.me/realms/airflow/.well-known/openid-configuration",
            "api_base_url": "https://sso.keycloak.me/realms/airflow/protocol/openid-connect",
            "client_kwargs": {"scope": "email profile"},
            "access_token_url": "https://sso.keycloak.me/realms/airflow/protocol/openid-connect/token",
            "authorize_url": "https://sso.keycloak.me/realms/airflow/protocol/openid-connect/auth",
            "request_token_url": None,
        },
    }
]

# Fetch public key
req = requests.get(OIDC_ISSUER)
key_der_base64 = req.json()["public_key"]
key_der = b64decode(key_der_base64.encode())
public_key = serialization.load_der_public_key(key_der)


class CustomSecurityManager(AirflowSecurityManager):
    def get_oauth_user_info(self, provider, response):
        if provider == "keycloak":
            token = response["access_token"]
            me = jwt.decode(token, public_key, algorithms=["HS256", "RS256"])

            # Extract roles from resource access
            realm_access = me.get("realm_access", {})
            groups = realm_access.get("roles", [])

            log.info("groups: {0}".format(groups))

            if not groups:
                groups = ["Viewer"]

            userinfo = {
                "username": me.get("preferred_username"),
                "email": me.get("email"),
                "first_name": me.get("given_name"),
                "last_name": me.get("family_name"),
                "role_keys": groups,
            }

            log.info("user info: {0}".format(userinfo))

            return userinfo
        else:
            return {}


# Make sure to replace this with your own implementation of AirflowSecurityManager class
SECURITY_MANAGER_CLASS = CustomSecurityManager