Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overrides not working correctly for webserver_config.py #552

Closed
xeniape opened this issue Dec 4, 2024 · 1 comment · Fixed by #597
Closed

Overrides not working correctly for webserver_config.py #552

xeniape opened this issue Dec 4, 2024 · 1 comment · Fixed by #597
Assignees
@adwk67
Labels
release/25.3.0 type/bug

Comments

@xeniape
Copy link
Member

xeniape commented Dec 4, 2024

Affected Stackable version

Tested on 0.0.0-dev

Affected Apache Airflow version

No response

Current and expected behavior

Values in the webserver_config.py file / airflow-webserver ConfigMap are not being overridden properly using configOverrides.

Example Config setting configOverrides on role level and resulting webserver_config.py:

webservers:
  roleGroups:
    default:
      replicas: 1
  configOverrides:
    webserver_config.py:
      WTF_CSRF_ENABLED: "False"                                                                                                   
      AUTH_ROLES_SYNC_AT_LOGIN: "True"
      AUTH_TYPE: "AUTH_DB_TEST"
      AUTH_USER_REGISTRATION: "False"
      AUTH_USER_REGISTRATION_ROLE: "Admin"
      OAUTH_PROVIDERS: |
      [
        { 'name': 'azure',
          'icon': 'fa-windows',
          'token_key': 'access_token',
          'remote_app': {
            'client_id': os.environ.get('OIDC_XXX_CLIENT_ID'),
            'client_secret': os.environ.get('OIDC_XXX_CLIENT_SECRET'),
            'client_kwargs': {
              'scope': 'openid profile'
            },
            'api_base_url': 'https://keycloak/realms/sdp/protocol/test-url',
            'server_metadata_url': 'https://keycloak/realms/sdp/.well-known/openid-configuration-test',
          },
        }
       ]
webserver_config.py:                                                                                                                     
----                                                                                                                                     
import os                                                                                                                                
from flask_appbuilder.const import (AUTH_DB, AUTH_LDAP, AUTH_OAUTH, AUTH_OID, AUTH_REMOTE_USER)                                          
basedir = os.path.abspath(os.path.dirname(__file__))                                                                                     
WTF_CSRF_ENABLED = True                                                                                                                  
                                                                                                                                         
AUTH_ROLES_SYNC_AT_LOGIN = False                                                                                                         
AUTH_TYPE = AUTH_OAUTH                                                                                                                   
AUTH_USER_REGISTRATION = True                                                                                                            
AUTH_USER_REGISTRATION_ROLE = "User"                                                                                                     
OAUTH_PROVIDERS = [                                                                                                                      
{ 'name': 'keycloak',                                                                                                                    
  'icon': 'fa-key',                                                                                                                      
  'token_key': 'access_token',                                                                                                           
  'remote_app': {                                                                                                                        
    'client_id': os.environ.get('OIDC_BCFDE64522F1D73E_CLIENT_ID'),                                                                      
    'client_secret': os.environ.get('OIDC_BCFDE64522F1D73E_CLIENT_SECRET'),                                                              
    'client_kwargs': {                                                                                                                   
      'scope': 'openid'                                                                                                                  
    },                                                                                                                                   
    'api_base_url': 'https://keycloak/realms/sdp/protocol/',                                                                             
    'server_metadata_url': 'https://keycloak/realms/sdp/.well-known/openid-configuration',                                               
  },                                                                                                                                     
}                                                                                                                                        
]                                                                                                                                        
                                                                                                                                         
WTF_CSRF_ENABLED = False

(Maybe also noteable that WTF_CSRF_ENABLED appears twice now)

Example Config setting configOverrides on role group level and resulting webserver_config.py:

webservers:
  roleGroups:
    default:
      replicas: 1
      configOverrides:
        webserver_config.py:
          WTF_CSRF_ENABLED: "False"
          AUTH_ROLES_SYNC_AT_LOGIN: "True"
          AUTH_TYPE: "AUTH_DB_TEST"
          AUTH_USER_REGISTRATION: "False"
          AUTH_USER_REGISTRATION_ROLE: "Admin"
          OAUTH_PROVIDERS: |
          [
            { 'name': 'azure',
              'icon': 'fa-windows',
              'token_key': 'access_token',
              'remote_app': {
                'client_id': os.environ.get('OIDC_XXX_CLIENT_ID'),
                'client_secret': os.environ.get('OIDC_XXX_CLIENT_SECRET'),
                'client_kwargs': {
                  'scope': 'openid profile'
                },
                'api_base_url': 'https://keycloak/realms/sdp/protocol/test-url',
                'server_metadata_url': 'https://keycloak/realms/sdp/.well-known/openid-configuration-test',
              },
            }
          ]
webserver_config.py:                                                                                                                     
----                                                                                                                                     
import os                                                                                                                                
from flask_appbuilder.const import (AUTH_DB, AUTH_LDAP, AUTH_OAUTH, AUTH_OID, AUTH_REMOTE_USER)                                          
basedir = os.path.abspath(os.path.dirname(__file__))                                                                                     
WTF_CSRF_ENABLED = True                                                                                                                  
                                                                                                                                         
AUTH_ROLES_SYNC_AT_LOGIN = False                                                                                                         
AUTH_TYPE = AUTH_OAUTH                                                                                                                   
AUTH_USER_REGISTRATION = True                                                                                                            
AUTH_USER_REGISTRATION_ROLE = "User"                                                                                                     
OAUTH_PROVIDERS = [                                                                                                                      
{ 'name': 'keycloak',                                                                                                                    
  'icon': 'fa-key',                                                                                                                      
  'token_key': 'access_token',                                                                                                           
  'remote_app': {                                                                                                                        
    'client_id': os.environ.get('OIDC_BCFDE64522F1D73E_CLIENT_ID'),                                                                      
    'client_secret': os.environ.get('OIDC_BCFDE64522F1D73E_CLIENT_SECRET'),                                                              
    'client_kwargs': {                                                                                                                   
      'scope': 'openid'                                                                                                                  
    },                                                                                                                                   
    'api_base_url': 'https://keycloak/realms/sdp/protocol/',                                                                             
    'server_metadata_url': 'https://keycloak/realms/sdp/.well-known/openid-configuration',                                               
  },                                                                                                                                     
}                                                                                                                                        
]                                                                                                                                        
                                                                                                                                         
WTF_CSRF_ENABLED = False

Possible solution

No response

Additional context

No response

Environment

No response

Would you like to work on fixing this bug?

None
@adwk67 adwk67 mentioned this issue Mar 19, 2025
Merged
@adwk67 adwk67 moved this to Development: In Progress in Stackable Engineering Mar 19, 2025
@adwk67
Copy link
Member

adwk67 commented Mar 20, 2025

Snippet for release notes:

Previously some default values for the webserver config were applied after any entries specified under configOverrides. This has now been reversed so that defaults are applied first.

@adwk67 adwk67 moved this from Development: In Progress to Development: Done in Stackable Engineering Mar 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adwk67 adwk67

Labels
release/25.3.0 type/bug
Projects
Stackable End-to-End Coordination
Status: In Progress
Stackable Engineering
Status: Development: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Switch order of config resolution so defaults can be overridden stackabletech/airflow-operator
2 participants
@adwk67 @xeniape