Return-Path: <dev-return-879-archive-asf-public=cust-asf.ponee.io@airflow.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 233F5200B67
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 16 Aug 2016 23:43:16 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 21D83160AA8; Tue, 16 Aug 2016 21:43:16 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 69994160A74
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 16 Aug 2016 23:43:15 +0200 (CEST)
Received: (qmail 26738 invoked by uid 500); 16 Aug 2016 21:43:14 -0000
Mailing-List: contact dev-help@airflow.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@airflow.incubator.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@airflow.incubator.apache.org>
List-Post: <mailto:dev@airflow.incubator.apache.org>
List-Id: <dev.airflow.incubator.apache.org>
Reply-To: dev@airflow.incubator.apache.org
Delivered-To: mailing list dev@airflow.incubator.apache.org
Received: (qmail 26726 invoked by uid 99); 16 Aug 2016 21:43:14 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Aug 2016 21:43:14 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id DE837C1D34
	for <dev@airflow.apache.org>; Tue, 16 Aug 2016 21:43:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.279
X-Spam-Level: *
X-Spam-Status: No, score=1.279 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=thinknear-com.20150623.gappssmtp.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id r055Udkqdu6V for <dev@airflow.apache.org>;
	Tue, 16 Aug 2016 21:43:11 +0000 (UTC)
Received: from mail-qk0-f170.google.com (mail-qk0-f170.google.com [209.85.220.170])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 7A1CA5F2F0
	for <dev@airflow.incubator.apache.org>; Tue, 16 Aug 2016 21:43:10 +0000 (UTC)
Received: by mail-qk0-f170.google.com with SMTP id l2so84645231qkf.3
        for <dev@airflow.incubator.apache.org>; Tue, 16 Aug 2016 14:43:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=thinknear-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=0oXSoPYX3QGYyQcLClrtnzIo36LI616XHonShuEzL7Q=;
        b=hexfBqWCGsFy+4MeweobtT6C8tPbzW1WYf0VldoaMJ/EwnJO0dQJP/l6iUzEHHqJo3
         VVNFxaMZgcyZxeuzSwFzvEpv54r9Dl4sr1U/uUoL19X/8JEW9haktGPjCyOwleErvQ+q
         07ONhmjjQdRI/uqpdQo9nQrLyC3uKqK3lXa4ylEeg076kCdPGVAuNIj9wzC+MSjnIboP
         PD3NTxiUKfUzyb2X7P8Vhlkplj4/BGFfm7D3nzSzMnVTkZXjBOdvO8TdQPSqmDash7Dq
         cJYf/apUORDAUCcsMoyRmJ4AeLOXoOhhrkhQG/zAlXEHH1LCZaFF591zVaZufWZ2WGP6
         Bzzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=0oXSoPYX3QGYyQcLClrtnzIo36LI616XHonShuEzL7Q=;
        b=btXpYwX2+/xfv6nMvhAEImzlts/SMHPDDlwpGKdWNkaMM1CGNiqFvkvsOde3zfJn8X
         ipmE0XxVCzJsEaIyzNCyW3OEfUtuBbiv3HeUvIHf0RDnlXBH3sluZ8hnvzoQQMRUSIWM
         uFTaTh7wjjpOVcL7xKTcjjgaSanOp4P8NHwyhqyjz8+WSz4PVBweYn4oxThgBBOAlkEn
         OSzGzkhPVGVj/jzn7NU/jhx94BEitCEMwyNmUe4mqBd3YQmzCbcHVJpbB/SGZEAg1F/v
         vJloGCQx4NUvdJfOxdbFXfsG5icVTojD2BynLZtT5zFfeH3dfKhnDvlxFMMcpUAAyLrt
         UqIg==
X-Gm-Message-State: AEkoouuJLDOXYjB6mKi4l9Q0YbfE1K58wCCug+DJzcZT0SvHjkKYrEVCIgIGZzpyiHs4u1ObvOp+hyIz0IqqQewR
X-Received: by 10.55.145.197 with SMTP id t188mr27064591qkd.172.1471383788705;
 Tue, 16 Aug 2016 14:43:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.56.129 with HTTP; Tue, 16 Aug 2016 14:43:08 -0700 (PDT)
From: David Klosowski <davidk@thinknear.com>
Date: Tue, 16 Aug 2016 14:43:08 -0700
Message-ID: <CAEsQ4pZcoP9NsZcePm-4G54==Gnnn=L2Vhq2ACnBrRxZTXY2rg@mail.gmail.com>
Subject: Setting up web auth with OAuth and Github
To: dev@airflow.incubator.apache.org
Content-Type: multipart/alternative; boundary=94eb2c08340a0e55d7053a373c53
archived-at: Tue, 16 Aug 2016 21:43:16 -0000

--94eb2c08340a0e55d7053a373c53
Content-Type: text/plain; charset=UTF-8

I've been trying to see if there is a way to setup airflow to use github
outh for authentication with Github.

https://developer.github.com/v3/oauth/

I've read through:

http://airflow.incubator.apache.org/security.html

And I see a GitHub Enterprise Authentication section, so I tried to set
this up with Github.

Since I'm emailing the list, this obviously isn't working.  So I'm curious,
is there particularly any reason why it shouldn't?

I was able to authorize my Airflow application, but whenever I try to
navigate to the web server, I see the following error in the logs:

[2016-08-16 20:21:56,458] {github_enterprise_auth.py:199} ERROR -
Traceback (most recent call last):
  File
"/usr/local/lib/python2.7/dist-packages/airflow/contrib/auth/backends/github_enterprise_auth.py",
line 193, in oauth_callback
    username, email = self.get_ghe_user_profile_info(ghe_token)
  File
"/usr/local/lib/python2.7/dist-packages/airflow/contrib/auth/backends/github_enterprise_auth.py",
line 133, in get_ghe_user_profile_info
    resp.status if resp else 'None'))
AuthenticationError: Failed to fetch user profile, status (404)

And I'm not sure why that is failing.

"Airflow" is setup as an application in my organization.

I have the following setup in my airflow.cfg:

authenticate = True
auth_backend = airflow.contrib.auth.backends.github_enterprise_auth

# Filter the list of dags by owner name (requires authentication to be
enabled)
[github_enterprise]
host = github.com
client_id = ****************
client_secret = *****************
oauth_callback_route = /thinknear/ghe_oauth/callback
allowed_teams = Engineers

I wasn't sure above what to set the "oauth_callback_route" to but this does
match the Application added to my organization.

I see the following requests (where "Airflow HOST" is my host name):

> [Airflow HOST] -> 302
> [Airflow HOST]/admin -> 302
> [Airflow HOST]/admin/airflow/login?next=%2Fadmin%2F -> 302
>
https://github.com/login/oauth/authorize?response_type=code&client_id=*****&redirect_uri=http%3A%2F%2F[Airflow
HOST]%2Fthinknear%2Fghe_oauth%2Fcallback%3Fnext%3D%252Fadmin%252F&scope=user%2Cread%3Aorg
-> 302
> [Airflow
HOST]/thinknear/ghe_oauth/callback?code=f6b43bed94248b9ccd85&next=%2Fadmin%2F
-> 302
> http://airflow-web.sandbox.thinknearhub.com/admin/airflow/noaccess


Any thoughts?

Thanks.

Cheers,
David

--94eb2c08340a0e55d7053a373c53--