From commits-return-1105-archive-asf-public=cust-asf.ponee.io@superset.incubator.apache.org Tue Jun 19 17:48:59 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id F1FAB180634 for ; Tue, 19 Jun 2018 17:48:58 +0200 (CEST) Received: (qmail 44141 invoked by uid 500); 19 Jun 2018 15:48:58 -0000 Mailing-List: contact commits-help@superset.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@superset.incubator.apache.org Delivered-To: mailing list commits@superset.incubator.apache.org Received: (qmail 44132 invoked by uid 99); 19 Jun 2018 15:48:57 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jun 2018 15:48:57 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 5A6C2852AE; Tue, 19 Jun 2018 15:48:57 +0000 (UTC) Date: Tue, 19 Jun 2018 15:48:57 +0000 To: "commits@superset.apache.org" Subject: [incubator-superset] branch master updated: Describe the use of custom OAuth2 authorization servers (#5220) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <152942333717.3491.8557119431192942402@gitbox.apache.org> From: maximebeauchemin@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: incubator-superset X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: 5c106b9a2029ce306d210f0535418c77ddaf0cf1 X-Git-Newrev: a84f4304dec9a9f78d484b1fea5fae0953356071 X-Git-Rev: a84f4304dec9a9f78d484b1fea5fae0953356071 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. maximebeauchemin pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-superset.git The following commit(s) were added to refs/heads/master by this push: new a84f430 Describe the use of custom OAuth2 authorization servers (#5220) a84f430 is described below commit a84f4304dec9a9f78d484b1fea5fae0953356071 Author: Ricardo Peironcely AuthorDate: Tue Jun 19 17:48:48 2018 +0200 Describe the use of custom OAuth2 authorization servers (#5220) As Superset extends flask SecurityManager with its own implementation, it's not obvious how to connect Superset with OAuth2 authorization servers that are not covered under flask. --- docs/installation.rst | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/docs/installation.rst b/docs/installation.rst index 4666f82..41f1574 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -695,3 +695,72 @@ To install Superset into your Kubernetes: helm upgrade --install superset ./install/helm/superset Note that the above command will install Superset into ``default`` namespace of your Kubernetes cluster. + +Custom OAuth2 configuration +--------------------------- + +Beyond FAB supported providers (github, twitter, linkedin, google, azure), its easy to connect Superset with other OAuth2 Authorization Server implementations that supports "code" authorization. + +The first step: Configure authorization in Superset ``superset_config.py``. + +.. code-block:: python + + AUTH_TYPE = AUTH_OAUTH + + OAUTH_PROVIDERS = [ + { 'name':'egaSSO', + 'token_key':'access_token', # Name of the token in the response of access_token_url + 'icon':'fa-address-card', # Icon for the provider + 'remote_app': { + 'consumer_key':'myClientId', # Client Id (Identify Superset application) + 'consumer_secret':'MySecret', # Secret for this Client Id (Identify Superset application) + 'request_token_params':{ + 'scope': 'read' # Scope for the Authorization + }, + 'access_token_method':'POST', # HTTP Method to call access_token_url + 'access_token_params':{ # Additional parameters for calls to access_token_url + 'client_id':'myClientId' + }, + 'access_token_headers':{ # Additional headers for calls to access_token_url + 'Authorization': 'Basic Base64EncodedClientIdAndSecret' + }, + 'base_url':'https://myAuthorizationServer/oauth2AuthorizationServer/', + 'access_token_url':'https://myAuthorizationServer/oauth2AuthorizationServer/token', + 'authorize_url':'https://myAuthorizationServer/oauth2AuthorizationServer/authorize' + } + } + ] + + # Will allow user self registration, allowing to create Flask users from Authorized User + AUTH_USER_REGISTRATION = True + + # The default user self registration role + AUTH_USER_REGISTRATION_ROLE = "Public" + +Second step: Create a `CustomSsoSecurityManager` that extends `SupersetSecurityManager` and overrides `oauth_user_info`: + +.. code-block:: python + + from superset.security import SupersetSecurityManager + + class CustomSsoSecurityManager(SupersetSecurityManager): + + def oauth_user_info(self, provider, response=None): + logging.debug("Oauth2 provider: {0}.".format(provider)) + if provider == 'egaSSO': + # As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication, + # and expects that authorization server checks the token, and response with user details + me = self.appbuilder.sm.oauth_remotes[provider].get('userDetails').data + logging.debug("user_data: {0}".format(me)) + return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''} + ... + +This file must be located at the same directory than ``superset_config.py`` with the name ``custom_sso_security_manager.py``. + +Then we can add this two lines to ``superset_config.py``: + +.. code-block:: python + + from custom_sso_security_manager import CustomSsoSecurityManager + CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager +