[bitnami/airflow] OAUTH authentication option is missing module authlib

[Timizki]

Name and Version

bitnami/airflow 22.2.0

What architecture are you using?

amd64

What steps will reproduce the bug?

1. brand new environment where airflow is run on openshift. The installation process is done with helm
2. Uses the following webserver_conf.py from existing configmap. The configuration follows Airflow example

kind: ConfigMap
apiVersion: v1
metadata:
  name: airflow-web-config
data:
  webserver_config.py: |-

import os
import jwt
import requests
import logging
from base64 import b64decode
from cryptography.hazmat.primitives import serialization
from flask_appbuilder.security.manager import AUTH_DB, AUTH_OAUTH
from airflow import configuration as conf
from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
log = logging.getLogger(__name__)
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_ROLES_SYNC_AT_LOGIN = True
AUTH_USER_REGISTRATION_ROLE = "Viewer"
OIDC_ISSUER = "https://keycloak.yyy.xy/realms/airflow/"
AUTH_ROLES_MAPPING = {
	"Viewer": ["Viewer"],
	"Admin": ["Admin"],
	"User": ["User"],
	"Public": ["Public"],
	"Op": ["Op"],
}
OAUTH_PROVIDERS = [
		{
	'name': 'keycloak',
	'icon': 'fa-key',
	'token_key': 'access_token',
	'remote_app': {
			'api_base_url': 'https://keycloak.yyy.xy/auth/realms/airflow/protocol/openid-connect/',
			'client_kwargs': {
		'scope': 'openid'
			},
			'request_token_url': None,
			'access_token_url': 'https://keycloak.yyy.xy/auth/realms/airflow/protocol/openid-connect/token',
			'authorize_url': 'https://keycloak.yyy.xy/realms/airflow/protocol/openid-connect/auth',
			'client_id': 'airflow',
			'client_secret': 'AAAABBBBBCCCCxy',
			'airflow_base_url': 'https://airflow.yyy.xy'
	}
		}
]
# Fetch public key
#req = requests.get(OIDC_ISSUER)
#key_der_base64 = req.json()["public_key"]
#key_der = b64decode(key_der_base64.encode())
#public_key = serialization.load_der_public_key(key_der)
class CustomSecurityManager(FabAirflowSecurityManagerOverride):
	def get_oauth_user_info(self, provider, response):
		if provider == "keycloak":
			token = response["access_token"]
			me = jwt.decode(token, public_key, algorithms=["HS256", "RS256"])

			# Extract roles from resource access
			realm_access = me.get("realm_access", {})
			groups = realm_access.get("roles", [])

			log.info("groups: {0}".format(groups))

			if not groups:
				groups = ["Viewer"]

			userinfo = {
				"username": me.get("preferred_username"),
				"email": me.get("email"),
				"first_name": me.get("given_name"),
				"last_name": me.get("family_name"),
				"role_keys": groups,
			}

			log.info("user info: {0}".format(userinfo))

			return userinfo
		else:
			return {}

# Make sure to replace this with your own implementation of AirflowSecurityManager class
SECURITY_MANAGER_CLASS = CustomSecurityManager

3. When pod starts the container dies as its liveness/readiness probes aren't responding and logs shows error

> Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/__main__.py", line 10, in <module>
    run(prog="gunicorn")
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/app/wsgiapp.py", line 66, in run
    WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]", prog=prog).run()
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/app/base.py", line 235, in run
    super().run()
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/app/base.py", line 71, in run
    Arbiter(self).run()
    ^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/arbiter.py", line 57, in __init__
    self.setup(app)
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/arbiter.py", line 117, in setup
    self.app.wsgi()
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/app/base.py", line 66, in wsgi
    self.callable = self.load()
                    ^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/app/wsgiapp.py", line 57, in load
    return self.load_wsgiapp()
           ^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/app/wsgiapp.py", line 47, in load_wsgiapp
    return util.import_app(self.app_uri)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/gunicorn/util.py", line 423, in import_app
    app = app(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/www/app.py", line 196, in cached_app
    app = create_app(config=config, testing=testing)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/www/app.py", line 167, in create_app
    init_appbuilder(flask_app)
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/www/extensions/init_appbuilder.py", line 666, in init_appbuilder
    return AirflowAppBuilder(
           ^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/www/extensions/init_appbuilder.py", line 168, in __init__
    self.init_app(app, session)
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/www/extensions/init_appbuilder.py", line 212, in init_app
    self.sm = auth_manager.security_manager
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/python/lib/python3.12/functools.py", line 993, in __get__
    val = self.func(instance)
          ^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/fab_auth_manager.py", line 374, in security_manager
    return sm_from_config(self.appbuilder)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 367, in __init__
    self._init_auth()
  File "/opt/bitnami/airflow/venv/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 898, in _init_auth
    from authlib.integrations.flask_client import OAuth
ModuleNotFoundError: No module named 'authlib'

Are you using any custom parameters or values?

Values.yaml:

airflow:
  setupDBJob:
    enabled: false
  createUserJob:
    useHelmHooks: false
    applyCustomEnv: false
  migrateDatabaseJob:
    enabled: false
    useHelmHooks: false
    applyCustomEnv: false
    jobAnnotations:
      "argocd.argoproj.io/hook": Sync
  dagProcessor:
    pdb:
      create: false  
  scheduler:
    waitForMigrations:
      enabled: False
    pdb:
      create: false    
  triggerer:
    pdb:
      create: false
  web:
    waitForMigrations:
      enabled: false
    pdb:
      create: false    
    existingConfigmap: airflow-web-config
  worker:
    waitForMigrations:
      enabled: False
    pdb:
      create: false
    resources:
      limits:
        cpu: 1000m
        ephemeral-storage: 1Gi
        memory: 3Gi
      requests:
        cpu: '1'
        ephemeral-storage: 50Mi
        memory: 3Gi
  auth:
    existingSecret: airflow-auth
  redis:    
    master:
      pdb:
        create: false
      persistence:
        size: 1Gi
    auth:
      existingSecret: airflow-redis
  postgresql:    
    primary:
      pdb:
        create: false
      persistence:
        size: 1Gi
    auth:
      existingSecret: airflow-postgres

What is the expected behavior?

That pod starts and airflow login is possible throuhg keycloak integration

What do you see instead?

Dead pod and error on logs

[carrodher]

Hi, the issue may not be directly related to the Bitnami container image/Helm chart, but rather to how the application is being utilized, configured in your specific environment, or tied to a particular scenario that is not easy to reproduce on our side.

If you think that's not the case and want to contribute a solution, we'd like to invite you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Please feel free to contact us if you have any questions or need assistance.

Suppose you have any questions about the application, customizing its content, or technology and infrastructure usage. In that case, we highly recommend that you refer to the forums and user guides provided by the project responsible for the application or technology.

With that said, we'll keep this ticket open until the stale bot automatically closes it, in case someone from the community contributes valuable insights.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.