Apache Superset Okta Config for local docker-compose demo

README_SUPERSET_OKTA.md

A few notes to get this working:

• Need to have an Okta tenant, with an OIDC+web app
• Must allow Superset to see all of a user's groups by editing the Okta-app's Groups Claim Filter to be Matches regex .* (Okta docs)
• Check out apache/superset/ locally
• Add the following values from your Okta tenant / app to docker/.env-non-dev (Superset docker docs)
  • OKTA_DOMAIN (e.g. dev-{your_id}.okta.com)
  • OKTA_CLIENT_ID (from your OIDC app's config)
  • OKTA_CLIENT_SECRET (from your OIDC app's config)
• Add the below snippet to docker/pythonpath_dev/superset_config_docker.py
  • Note: This is based on the FlaskAppBuilder docs and this other gist

superset_config_docker.py

# This file is included in the final Docker image and SHOULD be overridden when
# deploying the image to prod. Settings configured here are intended for use in local
# development environments. Also note that superset_config_docker.py is imported
# as a final step as a means to override "defaults" configured in superset_config.py.
#
import logging
import os
from typing import Optional

from flask_appbuilder.security.manager import AUTH_OAUTH

logger = logging.getLogger(__name__)


def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
    """Get the environment variable or raise exception."""
    try:
        return os.environ[var_name]
    except KeyError:
        if default is not None:
            return default
        else:
            error_msg = "The environment variable {} was missing, abort...".format(
                var_name
            )
            raise EnvironmentError(error_msg)

# NOTE(jwhitman): Okta customizations below

AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True  # allow self-registration (login creates a user)
# AUTH_USER_REGISTRATION_ROLE = "Gamma"  # default is a Gamma user

OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
OKTA_CLIENT_ID = get_env_variable("OKTA_CLIENT_ID")
OKTA_CLIENT_SECRET = get_env_variable("OKTA_CLIENT_SECRET")

OAUTH_PROVIDERS = [
    {
        "name": "okta",
        "icon": "fa-circle-o",
        "token_key": "access_token",
        "remote_app": {
            "client_id": OKTA_CLIENT_ID,
            "client_secret": OKTA_CLIENT_SECRET,
            "api_base_url": f"https://{OKTA_DOMAIN}/oauth2/v1/",
            "client_kwargs": {"scope": "openid profile email groups"},
            "access_token_url": f"https://{OKTA_DOMAIN}/oauth2/v1/token",
            "authorize_url": f"https://{OKTA_DOMAIN}/oauth2/v1/authorize",
            "server_metadata_url": f"https://{OKTA_DOMAIN}/.well-known/openid-configuration",
        },
    },
]

# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
# Key is group in okta, value is list of roles to assign in superset
AUTH_ROLES_MAPPING = {
    "SupersetUser": ["sql_lab - staging utility"],
    "SupersetAdmin": ["Admin"],
}

# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True

# force users to re-auth after 20h of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 3600 * 20