johnjameswhitman/README_SUPERSET_OKTA.md

## README_SUPERSET_OKTA.md

      
    Raw
  

              README_SUPERSET_OKTA.md
            
          
    A few notes to get this working:

Need to have an Okta tenant, with an OIDC+web app
Must allow Superset to see all of a user's groups by editing the Okta-app's Groups Claim Filter to be Matches regex .* (Okta docs)
Check out apache/superset/ locally
Add the following values from your Okta tenant / app to docker/.env-non-dev (Superset docker docs)

OKTA_DOMAIN (e.g. dev-{your_id}.okta.com)
OKTA_CLIENT_ID (from your OIDC app's config)
OKTA_CLIENT_SECRET (from your OIDC app's config)


Add the below snippet to docker/pythonpath_dev/superset_config_docker.py

Note: This is based on the FlaskAppBuilder docs and this other gist


## superset_config_docker.py
# This file is included in the final Docker image and SHOULD be overridden when
# deploying the image to prod. Settings configured here are intended for use in local
# development environments. Also note that superset_config_docker.py is imported
# as a final step as a means to override "defaults" configured in superset_config.py.
#
import logging
import os
from typing import Optional

from flask_appbuilder.security.manager import AUTH_OAUTH

logger = logging.getLogger(__name__)


def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
    """Get the environment variable or raise exception."""
    try:
        return os.environ[var_name]
    except KeyError:
        if default is not None:
            return default
        else:
            error_msg = "The environment variable {} was missing, abort...".format(
                var_name
            )
            raise EnvironmentError(error_msg)

# NOTE(jwhitman): Okta customizations below

AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True  # allow self-registration (login creates a user)
# AUTH_USER_REGISTRATION_ROLE = "Gamma"  # default is a Gamma user

OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
OKTA_CLIENT_ID = get_env_variable("OKTA_CLIENT_ID")
OKTA_CLIENT_SECRET = get_env_variable("OKTA_CLIENT_SECRET")

OAUTH_PROVIDERS = [
    {
        "name": "okta",
        "icon": "fa-circle-o",
        "token_key": "access_token",
        "remote_app": {
            "client_id": OKTA_CLIENT_ID,
            "client_secret": OKTA_CLIENT_SECRET,
            "api_base_url": f"https://{OKTA_DOMAIN}/oauth2/v1/",
            "client_kwargs": {"scope": "openid profile email groups"},
            "access_token_url": f"https://{OKTA_DOMAIN}/oauth2/v1/token",
            "authorize_url": f"https://{OKTA_DOMAIN}/oauth2/v1/authorize",
            "server_metadata_url": f"https://{OKTA_DOMAIN}/.well-known/openid-configuration",
        },
    },
]

# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
# Key is group in okta, value is list of roles to assign in superset
AUTH_ROLES_MAPPING = {
    "SupersetUser": ["sql_lab - staging utility"],
    "SupersetAdmin": ["Admin"],
}

# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True

# force users to re-auth after 20h of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 3600 * 20
	# This file is included in the final Docker image and SHOULD be overridden when
	# deploying the image to prod. Settings configured here are intended for use in local
	# development environments. Also note that superset_config_docker.py is imported
	# as a final step as a means to override "defaults" configured in superset_config.py.
	#
	import logging
	import os
	from typing import Optional

	from flask_appbuilder.security.manager import AUTH_OAUTH

	logger = logging.getLogger(__name__)


	def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
	"""Get the environment variable or raise exception."""
	try:
	return os.environ[var_name]
	except KeyError:
	if default is not None:
	return default
	else:
	error_msg = "The environment variable {} was missing, abort...".format(
	var_name
	)
	raise EnvironmentError(error_msg)

	# NOTE(jwhitman): Okta customizations below

	AUTH_TYPE = AUTH_OAUTH
	AUTH_USER_REGISTRATION = True # allow self-registration (login creates a user)
	# AUTH_USER_REGISTRATION_ROLE = "Gamma" # default is a Gamma user

	OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
	OKTA_CLIENT_ID = get_env_variable("OKTA_CLIENT_ID")
	OKTA_CLIENT_SECRET = get_env_variable("OKTA_CLIENT_SECRET")

	OAUTH_PROVIDERS = [
	{
	"name": "okta",
	"icon": "fa-circle-o",
	"token_key": "access_token",
	"remote_app": {
	"client_id": OKTA_CLIENT_ID,
	"client_secret": OKTA_CLIENT_SECRET,
	"api_base_url": f"https://{OKTA_DOMAIN}/oauth2/v1/",
	"client_kwargs": {"scope": "openid profile email groups"},
	"access_token_url": f"https://{OKTA_DOMAIN}/oauth2/v1/token",
	"authorize_url": f"https://{OKTA_DOMAIN}/oauth2/v1/authorize",
	"server_metadata_url": f"https://{OKTA_DOMAIN}/.well-known/openid-configuration",
	},
	},
	]

	# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
	# Key is group in okta, value is list of roles to assign in superset
	AUTH_ROLES_MAPPING = {
	"SupersetUser": ["sql_lab - staging utility"],
	"SupersetAdmin": ["Admin"],
	}

	# if we should replace ALL the user's roles each login, or only on registration
	AUTH_ROLES_SYNC_AT_LOGIN = True

	# force users to re-auth after 20h of inactivity (to keep roles in sync)
	PERMANENT_SESSION_LIFETIME = 3600 * 20