apache · miguel-saca · Jan 12, 2025 · Jan 13, 2025 · korbit-ai · Jan 13, 2025
diff --git a/docker-compose-image-tag.yml b/docker-compose-image-tag.yml
@@ -26,6 +26,7 @@ x-superset-volumes:
   &superset-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
   - ./docker:/app/docker
   - superset_home:/app/superset_home
+  - ./docker/custom_assets:/app/superset/static/assets/custom_assets
 
 services:
   redis:

diff --git a/docker-compose-non-dev.yml b/docker-compose-non-dev.yml
@@ -25,6 +25,7 @@ x-superset-volumes:
   &superset-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
   - ./docker:/app/docker
   - superset_home:/app/superset_home
+  - ./docker/custom_assets:/app/superset/static/assets/custom_assets
 
 x-common-build: &common-build
   context: .

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -29,7 +29,7 @@ x-superset-volumes: &superset-volumes
   - ./superset-frontend:/app/superset-frontend
   - superset_home:/app/superset_home
   - ./tests:/app/tests
-
+  - ./docker/custom_assets:/app/superset/static/assets/custom_assets
 x-common-build: &common-build
   context: .
   target: ${SUPERSET_BUILD_TARGET:-dev} # can use `dev` (default) or `lean`

diff --git a/docker/.env b/docker/.env
@@ -67,3 +67,14 @@ ENABLE_PLAYWRIGHT=false
 PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
 BUILD_SUPERSET_FRONTEND_IN_DOCKER=true
 SUPERSET_LOG_LEVEL=info
+
+# Keycloak configurations
+AUTH_USER_REGISTRATION_ROLE=Public
+
+# Encryption key
+SECRET_KEY=6iiO6nBM8xO8U/dl8emvWeO1QFjzs+ljKhxFckE6GoQ
+ENCRYPTION_KEY=gF83nvQFwuRYIeQ98OMYf74q45dk9mF+eddFuj4E45E
+
+# Styles
+APP_ICON = "/static/assets/custom_assets/cedia-logo-2025.png"
+APP_NAME = "CMI"
diff --git a/docker/custom_assets/cedia-logo-2025.png b/docker/custom_assets/cedia-logo-2025.png
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
@@ -122,6 +122,11 @@ http {
             proxy_http_version 1.1;
             port_in_redirect off;
             proxy_connect_timeout 300;
+
+            # Increase buffer sizes to allow for big upstream headers.
+            proxy_buffer_size 128k;
+            proxy_buffers 4 256k;
+            proxy_busy_buffers_size 256k;
         }
     }
 }
diff --git a/docker/pythonpath_dev/.gitignore b/docker/pythonpath_dev/.gitignore
@@ -21,3 +21,4 @@
 !.gitignore
 !superset_config.py
 !superset_config_local.example
+!keycloak_security_manager.py
diff --git a/docker/pythonpath_dev/keycloak_security_manager.py b/docker/pythonpath_dev/keycloak_security_manager.py
@@ -0,0 +1,93 @@
+from flask_appbuilder.security.manager import AUTH_OID
+from superset.security import SupersetSecurityManager
+from flask_oidc import OpenIDConnect
+from flask_appbuilder.security.views import AuthOIDView
+from flask_login import login_user, logout_user
+from urllib.parse import quote
+from flask_appbuilder.views import ModelView, expose
+from flask import redirect, request, session
+from typing import Optional
+import logging
+import json
+
+class OIDCSecurityManager(SupersetSecurityManager):
+    def __init__(self, appbuilder: ModelView) -> None:
+        super(OIDCSecurityManager, self).__init__(appbuilder)
+        if self.auth_type == AUTH_OID:
+            self.oid = OpenIDConnect(self.appbuilder.get_app)
+        self.authoidview = AuthOIDCView
+
+class AuthOIDCView(AuthOIDView):
+
+    @expose('/login/', methods=['GET', 'POST'])
+    def login(self, flag: bool = True) -> Optional[redirect]:
+        sm = self.appbuilder.sm
+        oidc = sm.oid
+
+        @self.appbuilder.sm.oid.require_login
+        def handle_login() -> Optional[redirect]:
+            user = sm.auth_user_oid(oidc.user_getfield('email'))
+            if user is None:
+                info = oidc.user_getinfo(['preferred_username', 'given_name', 'family_name', 'email'])
+                default_role = self.appbuilder.app.config.get("AUTH_USER_REGISTRATION_ROLE", "Public")
+
+                user = sm.add_user(
+                    info.get('preferred_username'),
+                    info.get('given_name'),
+                    info.get('family_name'),
+                    info.get('email'),
+                    sm.find_role(default_role)
+                )
+            login_user(user, remember=False)
+            return redirect(self.appbuilder.get_url_for_index)
+        return handle_login()
+
+    @expose('/logout/', methods=['GET', 'POST'])
+    def logout(self) -> redirect:
+        sm = self.appbuilder.sm
+        oidc = sm.oid
+
+        # Initiate logout from the OIDC provider (Keycloak)
+        oidc.logout()
+        # Call the parent logout (which should log out the user locally)
+        super(AuthOIDCView, self).logout()
+
+        # Capture the redirect URL (typically pointing back to the login page)
+        redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login
+
+        # Retrieve the id_token from session if available
+        auth_token = session.get("oidc_auth_token")
+        id_token_hint = None
+        if auth_token:
+            if isinstance(auth_token, dict):
+                id_token_hint = auth_token.get("id_token")
+            elif isinstance(auth_token, (str, bytes)):
+                try:
+                    token_info = json.loads(auth_token)
+                    id_token_hint = token_info.get("id_token")
+                except Exception as e:
+                    logging.warning("Failed to parse oidc_auth_token: %s", e)
+
+        # Build the logout URL
+        if id_token_hint:
+            logout_url = (
+                oidc.client_secrets.get('issuer')
+                + '/protocol/openid-connect/logout'
+                + '?post_logout_redirect_uri=' + quote(redirect_url)
+                + '&id_token_hint=' + quote(id_token_hint)
+            )
+        else:
+            logout_url = (
+                oidc.client_secrets.get('issuer')
+                + '/protocol/openid-connect/logout'
+                + '?post_logout_redirect_uri=' + quote(redirect_url)
+                + '&client_id=' + quote(oidc.client_secrets.get('client_id'))
+            )
+
+        # Explicitly clear the entire session to remove all authentication data.
+        session.clear()
+
+        # Additionally, log out from Flask-Login if needed.
+        logout_user()
+
+        return redirect(logout_url)
diff --git a/docker/pythonpath_dev/superset_config.py b/docker/pythonpath_dev/superset_config.py
@@ -24,7 +24,9 @@
 import os
 
 from celery.schedules import crontab
+from flask_appbuilder.security.manager import AUTH_OID
 from flask_caching.backends.filesystemcache import FileSystemCache
+from keycloak_security_manager import OIDCSecurityManager
 
 logger = logging.getLogger()
 
@@ -120,3 +122,31 @@ class CeleryConfig:
     )
 except ImportError:
     logger.info("Using default Docker config...")
+
+# Basic secret key
+SECRET_KEY = os.getenv("SECRET_KEY", "your-constant-secret-key")
+ENCRYPTION_KEY = os.getenv("ENCRYPTION_KEY", "your-constant-encryption-key")
+
+# ------------------------------------------------------------------------------
+# Keycloak (OpenID Connect) authentication config and other settings...
+# ------------------------------------------------------------------------------
+AUTH_TYPE = AUTH_OID
+OIDC_CLIENT_SECRETS = "/app/docker/pythonpath_dev/client_secret.json"
+OIDC_ID_TOKEN_COOKIE_SECURE = False
+OIDC_OPENID_REALM = "hpc"
+OIDC_INTROSPECTION_AUTH_METHOD = "client_secret_post"
+CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
+
+# Disable role sync on every login
+AUTH_ROLES_SYNC_AT_LOGIN = False
+AUTH_USER_REGISTRATION = True
+AUTH_USER_REGISTRATION_ROLE = os.getenv("AUTH_USER_REGISTRATION_ROLE", "Public")
+
+# ... [rest of the configuration] ...
+logger.info("Superset configuration loaded successfully.")
+
+ENABLE_TEMPLATE_PROCESSING = True
+
+# Styles
+APP_NAME = os.getenv("APP_NAME", "Superset")
+APP_ICON = os.getenv("APP_ICON", "/static/assets/custom_assets/cedia-logo-2025.png")
diff --git a/requirements/development.txt b/requirements/development.txt
@@ -883,3 +883,5 @@ zstandard==0.23.0
     # via
     #   -c requirements/base.txt
     #   flask-compress
+flask-oidc==2.2.2
+flask-openid==1.3.1