API authenthication using db-provider when connected to LDAP

[ziggekatten]

Running Superset 3.1 using LDAP provider. WOrks like an charm.

Now, we are implementing OpenMetadata, and connecting to the API using my LDAP credentials works and I can ingest stuff. However, since this is an corporate AD, I have no "service account" available, and I can't use my personal credentials, since they expire every x days. So the solution would be to use db-authentication on the api.

Doing an post /api/v1/security/login returns:

{
  "message": {
    "provider": [
      "Alternative authentication provider is not allowed"
    ]
  }
}

Some sources points to an variable: AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS=true should fix this, but it seems that it's not picked up when set.

Anyone had success with using db-provider for API access when using other provider for UI?

[dosubot[bot]]

Hey @ziggekatten! I'm here to help you with any bugs, questions, or anything else you need assistance with. Let's tackle this together!

The error message you're encountering suggests that the API is not allowing an alternative authentication provider. The AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS variable is intended to enable multiple authentication providers for API access, but it seems it might not be functioning as expected in your setup.

Here are a few steps you can try:

1. Verify Configuration: Ensure that AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS is correctly set in your superset_config.py file. Double-check for any typos or syntax errors.

2. Restart Superset: After making changes to the configuration, restart your Superset instance to apply the changes.

3. Check Logs: Look at the Superset logs for any errors or warnings that might indicate why the configuration isn't being applied.

4. Custom Security Manager: If the above steps don't work, consider implementing a custom security manager to handle specific logic for API authentication.

If these steps don't resolve the issue, it might be necessary to look deeper into the codebase or consider alternative approaches for service account management.

To continue talking to Dosu, mention @dosu.

[ziggekatten]

Forgot to add the variable in the superset_config.py.... Just adding the environment variable does not work. Works now.

[ampil]

Hi @ziggekatten!
Can you please give more details how you enabled both LDAP and DB authentications?

I have exactly the same setup:

• we use LDAP for authentication in the organization
• I can't use my login because the password changes each X days and an account will be disabled in case I leave the organization
• I need some service account in Superset db.
• I use API

I have two types of errors:

1. "Alternative authentication provider is not allowed"
   when AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS line is omitted in config.py
   or
2. 500, {"message":"Fatal error"}
   when AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS = True

Related parameters from config.py:

from flask_appbuilder.security.manager import AUTH_LDAP
from flask_appbuilder.security.manager import AUTH_DB
...
AUTH_TYPE = AUTH_LDAP
...
AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS = True

And send this payload in Python:

  login_payload = {
      'username': self.username,
      'password': self.password,
      'provider': self.provider
  }
  response = requests.post(
      f'{self.superset_url}/api/v1/security/login',
      json=login_payload, verify=False
  )

where provider is 'db', username is an account created in Superset (not LDAP).

[ziggekatten]

The only thing i did was adding this row to my superset_config.py (we run in docker):
AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS = get_env_variable("AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS")

and the we added an environment variable AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS=True
and it worked using an db-created user. The get_env_variable() funcion just gets the OS env variable

[ampil]

Thank you for the update.
We run Superset natively on Linux, and it's 3.0.0 maybe that causes a problem

[ampil]

Resolved the issue by asking our IT team to create a new user in Active Directory and by changing the LDAP connection string, specifically the ou, in config.py.