Unable to integrate keycloak provider with Airflow 2.7.3 #36814
Replies: 10 comments
-
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval. |
Beta Was this translation helpful? Give feedback.
-
Hi @geoffo-dev can you please clarify what is the bug? |
Beta Was this translation helpful? Give feedback.
-
Hi @eladkal - So sorry it might be support or it might be a bug. I think I put it here as I have followed the configuration steps and the files are visible in the pod - however nothing is happening. The only thing I can see is the info in the log above. Is this a bug... I dont know..! I havent seen many examples specific to keycloak since Airflow 2.5.0. |
Beta Was this translation helpful? Give feedback.
-
We use Issues for bug reports since for this moment your problem is more of community support I'm converting this thread to GitHub Discussion. I hope someone from the community might be able to help you. |
Beta Was this translation helpful? Give feedback.
-
Yeah. I think also we would very much welcome someone who uses keycloak, creates and contribute a native KeyCloak provider for Airflow 2.8.0+ following the AIP-56 introduction - see https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-56+Extensible+user+management the FAB integration with KeyCloak was indirect and we did not have the expert knowledge here, and it was very limiting and opinionated. Seems that implementing a natve KeyClock AuthManager that would not use FAB but go straight the AIP-56 route is a much better long-term approach - we were also discusing it at the first Airflow Town Hall meeting https://lists.apache.org/thread/gxk5hm1cbxvo84smmcqp9m3omko325p5 where the "call to action" for that was made by @vincbeck I think if somoene who uses and needs Keycloak would like to implement it natively, that would be a FAR better approach than trying to go the "old FAB" route - and if it can be contributed back, with documentation, some tests etc. even if it will be a simple form of it, that would be more than fantastic. So @geoffo-dev - maybe you would like to pick the challenge? I guess - since the maintainers are asking for help here and community (and especially someone who already uses KeyCloak and have the need to get it integrated) you woudl also get great help from the maintainers (I am happy to help and I am sure @vincbeck as well alongside few other people - as long as you'd take the lead and implement it (and test it in your own deployment - which is the main reason why we think it has a chance to be working, because you could prove it works for you). What say you @geoffo-dev ? |
Beta Was this translation helpful? Give feedback.
-
+1000 on this one. I am very happy to help if you take on that challenge. I really dont think it is complicated to implement an auth manager for KeyCloak and I do think, it can help so many users in the community. The documentation for auth managers is not yet built (it will happen when Airflow 2.9 is released) but you can access it through the code here. |
Beta Was this translation helpful? Give feedback.
-
Hey @potiuk and @vincbeck! Thanks for the info! So I need to read and digest user management bits and auth manager documentation too - probably over the weekend if that is ok? I am obviously very keen to support the OpenSource community and give back in some way and if I have the skills I certainly would like to! So yes up for the challenge, but might take me a little while to get familiar with the codebase and things..! |
Beta Was this translation helpful? Give feedback.
-
This is awesome. We have very extensive guides about contributing Feel free to join the Slack workspace we have dedicated channels to assist contributors when need |
Beta Was this translation helpful? Give feedback.
-
No pressure! Being motivated is the most important :) So I am glad you are. This is really awesome! And dont worry, you're not alone so if you dont understand something or need help, feel free to Slack me, I'll be happy to help |
Beta Was this translation helpful? Give feedback.
-
Hi there, my team uses Keycloak + Airflow. I'm currently migrating us from Airflow 2.6.3 to the current Airflow version, 2.8.4. I have a working (post-migration) webserver_config.py I can share in case that helps anyone. I believe this is still using the "old FAB" route. Not sure if any of this is worth adding to the repo in some way.
|
Beta Was this translation helpful? Give feedback.
-
Apache Airflow version
Other Airflow 2 version (please specify below)
If "Other Airflow 2 version" selected, which one?
2.7.3
What happened?
Hello,
I am trying to integrate keycloak with airflow which I have managed successfully in the past however I am currently struggling - possibly due to it being a newer version of airflow where I understand certain authentication mechanisms have changed.
Having followed the guide have the following
webserver_config.py
file:and the following
keycloakAuthorizer.py
which should be in the same path:However when the webserver launches, there is no option to login via keycloak - only standard username and password.
The only error I can see that might be relevant when the webserver loads which relates to the google package (for what I believe is required for keycloak to work):
I have tried version 2.8.0 as well, but due to #36702 - this does not work.
I am at a bit of a loss as to how to resolve, I have tried a number of images, but not certain if this is supported anymore or if there is another way to resolve.
What you think should happen instead?
User should be presented with a login option with keycloak
How to reproduce
Have described above
Operating System
Tags 2.7.3-python3.11 and 2.7.3 in docker
Versions of Apache Airflow Providers
apache-airflow-providers-amazon==8.10.0
apache-airflow-providers-celery==3.4.1
apache-airflow-providers-cncf-kubernetes==7.8.0
apache-airflow-providers-common-sql==1.8.0
apache-airflow-providers-daskexecutor==1.1.0
apache-airflow-providers-docker==3.8.0
apache-airflow-providers-elasticsearch==5.1.0
apache-airflow-providers-ftp==3.6.0
apache-airflow-providers-google==10.11.0
apache-airflow-providers-grpc==3.3.0
apache-airflow-providers-hashicorp==3.5.0
apache-airflow-providers-http==4.6.0
apache-airflow-providers-imap==3.4.0
apache-airflow-providers-microsoft-azure==8.1.0
apache-airflow-providers-mysql==5.4.0
apache-airflow-providers-odbc==4.1.0
apache-airflow-providers-openlineage==1.2.0
apache-airflow-providers-postgres==5.7.1
apache-airflow-providers-redis==3.4.0
apache-airflow-providers-sendgrid==3.3.0
apache-airflow-providers-sftp==4.7.0
apache-airflow-providers-slack==8.3.0
apache-airflow-providers-snowflake==5.1.0
apache-airflow-providers-sqlite==3.5.0
apache-airflow-providers-ssh==3.8.1
Deployment
Official Apache Airflow Helm Chart
Deployment details
Deploying on EKS v1.28.3
Helm Version v3.13.1
Helm Chart Version 1.11.0
Anything else?
Would be happy to support updating a PR, but not really sure where to start!
Are you willing to submit PR?
Code of Conduct
Beta Was this translation helpful? Give feedback.
All reactions