[AIRFLOW-1836] airflow uses OAuth Provider keycloak

[fisher-monkey]

Dear Airflow maintainers,

Please accept this PR. I understand that it will not be reviewed until I have checked off all the steps below!

JIRA

• My PR addresses the following Airflow JIRA issues and references them in the PR title. For example, "[AIRFLOW-XXX] My Airflow PR"
  • https://issues.apache.org/jira/browse/AIRFLOW-1836

Description

• Here are some details about my PR, including screenshots of any UI changes:

Tests

• My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

• My commits all reference JIRA issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "How to write a good git commit message":
  1. Subject is separated from body by a blank line
  2. Subject is limited to 50 characters
  3. Subject does not end with a period
  4. Subject uses the imperative mood ("add", not "adding")
  5. Body wraps at 72 characters
  6. Body explains "what" and "why", not "how"

[codecov-io]

Codecov Report

Merging #2799 into master will decrease coverage by 3.14%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #2799      +/-   ##
==========================================
- Coverage   76.67%   73.52%   -3.15%     
==========================================
  Files         199      158      -41     
  Lines       16186    11958    -4228     
==========================================
- Hits        12410     8792    -3618     
+ Misses       3776     3166     -610

Impacted Files	Coverage Δ
airflow/operators/email_operator.py	0% <0%> (-100%)	⬇️
airflow/hooks/pig_hook.py	0% <0%> (-100%)	⬇️
airflow/operators/slack_operator.py	0% <0%> (-97.37%)	⬇️
airflow/operators/s3_file_transform_operator.py	0% <0%> (-96.23%)	⬇️
airflow/operators/redshift_to_s3_operator.py	0% <0%> (-95.46%)	⬇️
airflow/hooks/mssql_hook.py	6.66% <0%> (-66.67%)	⬇️
airflow/hooks/hdfs_hook.py	32.5% <0%> (-60%)	⬇️
airflow/operators/hive_operator.py	41.02% <0%> (-45.52%)	⬇️
airflow/hooks/S3_hook.py	56.97% <0%> (-37.35%)	⬇️
airflow/hooks/hive_hooks.py	39.52% <0%> (-33.9%)	⬇️
... and 196 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e703d6b...4edc73c. Read the comment docs.

[Fokko]

Hi @fisher-monkey, thanks for contributing. Could you open a Jira ticket and add a description about the implementation that you've did?

[Fokko]

Please remove the comments

[fisher-monkey]

I have create a Jira ticket and simply describe the implementation, and this is the link: https://issues.apache.org/jira/browse/AIRFLOW-1836

the comments have been removed.

[Fokko]

An empty log line

[Fokko]

I think this should be disabled by default

[ron819]

@fisher-monkey @Fokko is there any progress with this?

[c4milo]

Would it be possible to make this more generic and support any OpenIDConnect/OAuth2 identity provider? being KeyCloak one of them.

[Fokko]

Very good suggestion @c4milo

[ron819]

@Fokko Does the suggestion to make it generic prevents from this to be merged or it's a feature request for future development? We do have other cases where non-generic PRs have been submitted. Example: #3941

[Fokko]

I think it is for #3941 hard to implement it generic, i.e. have some logic to test the connection of an arbitrary connection. Implementing OAuth makes perfect sense. What do you suggest @ron819 ?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[weldpua2008]

@Fokko / @fisher-monkey Could you please inform if keycloak is supported in Airflow?
We started to use keycloak and I need to configure it.

[mik-laj]

@weldpua2008 You can configure any OAuth2 provider, but I am working on a Keycloak-proxy integration as it is much more secure. It's not public yet, but I have plans to share it with the community.

[farisabdulraheem]

How can i implement keycloak auth with airflow? @fisher-monkey @Fokko is there a simple way for that, any sample code available ?

[mik-laj]

this PR refers to the old and unsupported user interface. We support RBAC (Flask AppBuilser based) only now.

[farisabdulraheem]

@mik-laj so how can i use it with keycloak using rbac

[weldpua2008]

Any news?