Assign superset roles to Keycloak authenticated users using the AUTH_ROLES_MAPPING

[benelot]

I am currently working on integrating superset with keycloak to use the ldap/AD of our company. Integration works fine such that the AD users can login with their password. Through the use of a role-mapper in keycloak and a configuration in client scope, I even get the ldap groups to show up as 'role_keys' as part of keycloak's user_info response. However, it seems like superset does not pick up these roles at all.

I am following the guide of restack (https://www.restack.io/docs/superset-knowledge-apache-superset-keycloak-integration) that works very well so far up to that step.
From the link:
Step 3: Map Keycloak Roles to Superset Permissions

Use the AUTH_ROLES_MAPPING configuration in Superset to map Keycloak roles to Superset roles. For instance:

AUTH_ROLES_MAPPING = { "Superset_Admin": ["Admin"], "Superset_Alpha": ["Alpha"], "Superset_Gamma": ["Gamma"] }

I additionally had to find out about how to set the client scope for role_keys. The role_keys were suggested by several users on stackoverflow and also superset's authentication base Flask App Builder suggests that all OAuth Providers just need to provide 'role_keys' in user_info to make role_mapping work (" # however, if you customize userinfo retrieval to include 'role_keys', this will work for other providers" from https://flask-appbuilder.readthedocs.io/en/v4.3.0/security.html#authentication-oauth). I even checked using curl that the user_info really contains a 'role_keys' attribute in the json response.

What am I doing wrong? Do I really need to override the Apache Security Manager and do the role mapping myself? I expected that if I followed the requirements by flask, I would get the mapping out of the box.

I am happy to provide a full recipe for the integration once I get the roles mapped on login.

I really appreciate any help!

Thx,

[blarghmatey]

The missing piece is that the out-of-the-box support for Keycloak omits the role_keys attribute from the return value in Flask AppBuilder (you can see that here)

To address that shortcoming you'll need to create and use a custom security manager class to manage passing that role_keys attribute through. For example, this is what I did in my deployment to handle that case.

[benelot]

Thank you for the perfect answer! I think I am going to pull-request to Flask-AppBuilder to just include the role_keys there as well. They write that by providing the 'role_keys', it should pick up roles for other providers, and including them in the default keycloak call sounds like an improvement toward that promise.