Setting up OAuth Google sign-in

Flask-AppBuilder supports many authentication protocols. The default database authentication protocol allows the creation of new users by the admin. When creating the user, the admin sets a default password and shares it with the users along with their username. However, this is quite a cumbersome way to onboard new collaborators to your Superset web app.

The OAuth protocol allows the use of external authorization services such as Google, Facebook, and Twitter. Once any of these OAuth services are put in place, users can register and sign in themselves, without requiring any action by the admin. We will change the default database-based authentication to Google OAuth.

In the superset_config.py file, we can whitelist a set of emails that can register and log in to the web app. Suffix patterns can be used to allow all email addresses with the same suffix, such as @apache.org.

Before we modify the superset_config.py file to switch to Google OAuth, we have to register our application on the Google APIs & Services console. Go to https://console.developers.google.com/apis/dashboard and select Credentials from the left pane:

Application registration on Google APIs & Services

In the Credentials section, click on Create credentials and select OAuth client ID:  

Next, you will see the Create OAuth client ID form, where you need to insert a Name for the web application. In the following screenshot, I have set the name as superset-quick-start:

On the APIs & Services dashboard, OAuth 2.0 client IDs will be listed after creation. When you click on the application name in the list, it will show the client ID and client secret. We will need both of them to integrate Superset authentication with Google OAuth. Use the Download JSON option on the Client ID page to save the contents in the home directory of the GCE instance.

The OAuth configuration file should look like this:

shashank@superset:~$ cat /.google_oauth_key.json
{
    "web":{
        "client_id":"<client-id>",
        "project_id":"<project-id>",
        "auth_uri":"https://accounts.google.com/o/oauth2/auth",
        "token_uri":"https://accounts.google.com/o/oauth2/token",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "client_secret":"<client-secret>"
    }
}

In .bash_profile, we need to create an environment variable named GOOGLE_OAUTH_CREDENTIALS. This will store the path of the credentials file. After adding the environment variable, your .bash_profile should like this:

export SUPERSET_CONFIG_PATH=$HOME/.superset/superset_config.pysource /usr/local/bin/virtualenvwrapper.sh
export MAPBOX_API_KEY="<your-mapbox-api-key>"
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.google_cdp_key.json"
export GOOGLE_OAUTH_CREDENTIALS="$HOME/.google_oauth_key.json"

Before we update the superset_config.py file, remember to execute the bash_profile file in the current shell:

shashank@superset:~$ source ~/.bash_profile
shashank@superset:~$ echo $GOOGLE_OAUTH_CREDENTIALS
/home/shashank/.google_oauth_key.json

We also need to install a Python package required for Flask-AppBuilder to use the OAuth protocol for authentication:

pip install Flask-OAuthlib

Well, that finishes the environment setup for using Google OAuth on Superset. There are two values that have to be updated in the configuration file. One is the email address whitelist and the second is the role that we will assign to new users who registered using their Google account.

Because we need an admin account, we will first register a user with an Admin role, then later on change the value to Alpha. The following are the new configuration variables for the superset_config.py file:

from flask_appbuilder.security.manager import AUTH_OAUTH
import json

CSRF_ENABLED = True
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
# Role assigned to new authorized and registered users
AUTH_USER_REGISTRATION_ROLE = "Admin"
auth_credentials = json.load(open(os.environ.get('GOOGLE_OAUTH_CREDENTIALS')))['web']
OAUTH_PROVIDERS = [
        {
            'name': 'google',
            # email whitelist
            'whitelist': ['[email protected]'],
            'icon': 'fa-google',
            'token_key': 'access_token', 
            'remote_app': {
                'base_url': 'https://www.googleapis.com/oauth2/v2/',
                'request_token_params': {
                    'scope': 'email profile'
                },
                'request_token_url': None,
                'access_token_url': auth_credentials['token_uri'],
                'authorize_url': auth_credentials['auth_uri'],
                # google api & services client id and secret
                'consumer_key': auth_credentials['client_id'],
                'consumer_secret': auth_credentials['client_secret']
            }
        }
    ]

Once you have added these values to the file, and made sure whitelist only specifies your Gmail ID, restart the Superset web server and the celery worker on two new Terminals:

# Terminal 1
gunicorn -w 3 -k gevent --timeout 120 -b 0.0.0.0:8088 superset:app
#Terminal 2
celery worker --app=superset.sql_lab:celery_app --pool=gevent -Ofair

The following is how your superset_config.py file should look at this point:

# Superset Configuration file
# add file superset_config.py to PYTHONPATH for usage
import os
import json
from flask_appbuilder.security.manager import 

# Metadata database
SQLALCHEMY_DATABASE_URI = "postgresql+psycopg2://superset:superset@localhost/superset"
# Securing Session data
SECRET_KEY = 'AdLcixY34P' # random string
# Caching Queries
CACHE_CONFIG = { 
 # Specify the cache type 
 'CACHE_TYPE': 'redis',
 'CACHE_REDIS_URL': 'redis://localhost:6379/0',
 # The key prefix for the cache values stored on the server 
 'CACHE_KEY_PREFIX': 'superset_results'
}
# Set this API key to enable Mapbox visualizations 
MAPBOX_API_KEY = os.environ.get('MAPBOX_API_KEY')
# Long running query handling using Celery workers
class CeleryConfig(object): 
 BROKER_URL = 'redis://localhost:6379/0' 
 CELERY_IMPORTS = ('superset.sql_lab', ) 
 CELERY_RESULT_BACKEND = 'redis://localhost:6379/0'
 # Rate limit new long queries to 10 per second 
 CELERY_ANNOTATIONS = {'tasks.add': {'rate_limit': '10/s'}} 
 
CELERY_CONFIG = CeleryConfig
 
# Persisting results from running query handling using Celery workers
from werkzeug.contrib.cache import RedisCache 
RESULTS_BACKEND = RedisCache(host='localhost', port=6379, key_prefix='superset_results')

# Google OAUTH Secrets
CSRF_ENABLED = True
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
auth_credentials = json.load(open(os.environ.get('GOOGLE_OAUTH_CREDENTIALS')))['web']
OAUTH_PROVIDERS = [
 {
 'name': 'google',
 'whitelist': ['[email protected]'],
 'icon': 'fa-google',
 'token_key': 'access_token', 
 'remote_app': {
 'base_url': 'https://www.googleapis.com/oauth2/v2/',
 'request_token_params': {
 'scope': 'email profile'
 },
 'request_token_url': None,
 'access_token_url': auth_credentials['token_uri'],
 'authorize_url': auth_credentials['auth_uri'],
 'consumer_key': auth_credentials['client_id'],
 'consumer_secret': auth_credentials['client_secret']
 }
 }
 ]

Just head over to the external IP of the machine on your browser, select G, and click Register:

Congratulations! You should have signed in to your Superset web app now using Google sign in. The new account will have the admin role assigned to it, which means you should have permissions to view and access the Security section. On the List Users page, your new account will be listed. Because only your Google email is whitelisted in the superset_config.py file, no one else can register on your server. We will change this after understanding how to define new roles for users.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.137.243