superset: [Report] Reports not working with OIDC auth

Can’t send Report emails with error Report Schedule sellenium user not found.

Expected results

Can send Report emails

Actual results

Almost nothing in logs but Report Schedule sellenium user not found error in reports action log.

Screenshots

How to reproduce the bug

Setup smth like this

SCREENSHOT_LOCATE_WAIT = 100
SCREENSHOT_LOAD_WAIT = 600

ENABLE_ALERTS = True
FEATURE_FLAGS = {
    'ALERT_REPORTS': True
}

WEBDRIVER_TYPE = "chrome"
#WEBDRIVER_OPTION_ARGS = [
    "--force-device-scale-factor=2.0",
    "--high-dpi-support=2.0",
    "--headless",
    "--disable-gpu",
    "--disable-dev-shm-usage",
    "--no-sandbox",
    "--disable-setuid-sandbox",
    "--disable-extensions",
]

# This is for internal use, you can keep http
WEBDRIVER_BASEURL="http://localhost:8088"
# This is the link sent to the recipient, change to your domain eg. https://superset.mydomain.com
WEBDRIVER_BASEURL_USER_FRIENDLY="https://<BASE_URL>"

in config but no emails sent (or tried to send).

Environment

(please complete the following information):

superset version: Superset 1.1.0
python version: Python 3.8.7
node.js version: v12.21.0

Checklist

Make sure to follow these steps before submitting your issue - thank you!

I have checked the superset logs for python stacktraces and included it here as text if there are any.
I have reproduced the issue with at least the latest released version of superset.
I have checked the issue tracker for the same issue and I haven’t found one similar.

Additional context

Apr 24 21:00:00 node6 celery[1401583]: Report state: Report Schedule sellenium user not found
Apr 24 21:00:00 node6 celery[1401583]: [2021-04-24 21:00:00,239: INFO/ForkPoolWorker-1] Report state: Report Schedule sellenium user not found

(every hour)

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 31 (11 by maintainers)

Most upvoted comments

@dpgaspar , thanks for the hint. It might even suffice to overwrite the webdriver auth function (defined by WEBDRIVER_AUTH_FUNC). We use Azure as OAuth provider and any /login request is redirected there and then selenium times out. Works perfectly, when we added this to our superset_config.py:

from superset.utils.urls import headless_url
from superset.utils.machine_auth import MachineAuthProvider

def auth_driver(driver, user):
    # Setting cookies requires doing a request first, but /login is redirected to oauth provider, and stuck there.
    driver.get(headless_url("/doesnotexist"))

    cookies = MachineAuthProvider.get_auth_cookies(user)

    for cookie_name, cookie_val in cookies.items():
        driver.add_cookie(dict(name=cookie_name, value=cookie_val))

    return driver

WEBDRIVER_AUTH_FUNC = auth_driver

heul on Jul 23, 2021

@dusatvoj

I see so it may be because of: https://github.com/apache/superset/blob/master/superset/utils/machine_auth.py#L53 by default the test request is /login if it redirects immediately to openid then that could be your problem. You can write your own MachineAuthProvider and set it on MACHINE_AUTH_PROVIDER_CLASS config key.

dpgaspar on May 19, 2021

I’ve solved permissions issue by changing WorkingDirectory(in systemd service file) to $HOME of the user but /dev/null looks good too 😄 I’ve changed URL to fronted (apache proxy) and it looks it’s stuck on login page at keycloak …

Headless browser is redirected to /login …

[19/May/2021:18:46:01 +0200] "GET /login/ HTTP/1.1" 302 6863 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36"

and after that it’s redirected to Keycloak instance (OIDC provider) …

[19/May/2021:18:46:01 +0200] "GET /auth/realms/<REALM>/openid-connect/auth?...

… and again and again … (/login -> keycloak instance -> nothing) … but this type of authentication is the only working solution for user friendly OIDC login … and we want to use reports too 😕 😕 😕

dusatvoj on May 19, 2021