OZ-753: Ozone Analytics run with Ozone FOSS with SSO enabled (#39)

docker/docker-compose-superset-ports.yaml

@@ -1,4 +1,4 @@
 services:
   superset:
     ports:
-      - "8188:8088"
+      - "8088:8088"

docker/docker-compose-superset.yaml

@@ -20,9 +20,9 @@ services:
       - ANALYTICS_DB_USER=${ANALYTICS_DB_USER}
       - ANALYTICS_DB_HOST=${ANALYTICS_DB_HOST}
       - ANALYTICS_DATASOURCE_NAME=${ANALYTICS_DATASOURCE_NAME}
-      - SUPERSET_PUBLIC_URL=https://${SUPERSET_HOSTNAME}
-      - KEYCLOAK_URL=https://${KEYCLOAK_HOSTNAME}
-      - ISSUER_URL=https://${KEYCLOAK_HOSTNAME}/realms/ozone/
+      - SUPERSET_PUBLIC_URL=${SCHEME}://${SUPERSET_HOSTNAME}
+      - KEYCLOAK_URL=${SCHEME}://${KEYCLOAK_HOSTNAME}
+      - ISSUER_URL=${SCHEME}://${KEYCLOAK_HOSTNAME}/realms/ozone/
       - SUPERSET_CLIENT_SECRET=${SUPERSET_CLIENT_SECRET}
       - SUPERSET_CLIENT_ID=superset
       - ENABLE_OAUTH=${ENABLE_OAUTH}
@@ -39,8 +39,6 @@ services:
     restart: unless-stopped
     volumes: &superset-volumes
       - ${SUPERSET_CONFIG_PATH}/superset_config.py:/app/superset_config.py
-      - ${SUPERSET_CONFIG_PATH}/security.py:/app/security.py
-      - ${SUPERSET_CONFIG_PATH}/superset-init.sh:/app/superset-init.sh
 
   superset-worker:
     command: "celery --app=superset.tasks.celery_app:app worker -Ofair -n worker1@%h --loglevel=INFO"
@@ -67,13 +65,10 @@ services:
     image: *superset-image
     restart: on-failure
     volumes:
-      - ${SUPERSET_CONFIG_PATH}/superset_config.py:/app/superset_config.py
-      - ${SUPERSET_CONFIG_PATH}/security.py:/app/security.py
-      - ${SUPERSET_CONFIG_PATH}/superset-init.sh:/app/superset-init.sh
       - ${SUPERSET_DASHBOARDS_PATH}/:/dashboards/
     networks:
       - ozone-analytics
-    
+
   redis:
     image: redis:7
     restart: unless-stopped
@@ -93,4 +88,3 @@ networks:
   ozone-analytics:
   web:
     external: true
-    name: web

docker/proxy/docker-compose-nginx.yaml

@@ -0,0 +1,21 @@
+services:
+  proxy:
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost/"]
+    image: nginx:1.25-alpine
+    networks:
+      - ozone-analytics
+    ports:
+      - "${PROXY_PUBLIC_PORT:-81}:80"
+      - "8088:8088"
+    restart: unless-stopped
+    volumes:
+      - "${PROXY_TLS_CERTS_PATH:-proxy-tls-certs}:/etc/tls"
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./superset.conf:/etc/nginx/conf.d/superset.conf:ro
+
+volumes:
+  proxy-tls-certs: ~
+
+networks:
+  ozone-analytics:

docker/proxy/nginx.conf

@@ -0,0 +1,31 @@
+user  nobody;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+  worker_connections  1024;
+}
+
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile      on;
+  tcp_nopush    on;
+  tcp_nodelay   on;
+
+  keepalive_timeout  65;
+  resolver 127.0.0.11;
+
+  include /etc/nginx/conf.d/*.conf;
+}

docker/proxy/superset.conf

@@ -0,0 +1,21 @@
+server {
+    listen 8088;
+
+    # Main location block for all routes
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port 8088;
+        proxy_pass http://superset:8088;
+    }
+
+    # Specific location block for logout endpoint
+    location /logout {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port 8088;
+        proxy_pass http://superset:8088;
+    }
+}

docker/superset/config/superset_config.py

@@ -1,9 +1,7 @@
 import logging
 import os
-from dotenv import load_dotenv
 from cachelib import RedisCache
 
-from cachelib.file import FileSystemCache
 logger = logging.getLogger()
 
 def password_from_env(url):
@@ -53,7 +51,6 @@ def get_env_variable(var_name, default=None):
 REDIS_RESULTS_DB = get_env_variable("REDIS_CELERY_DB", 1)
 
 RESULTS_BACKEND = RedisCache(host=REDIS_HOST, port=REDIS_PORT, key_prefix='superset_results')
-# RESULTS_BACKEND = FileSystemCache("/app/superset_home/sqllab")
 
 class CeleryConfig(object):
     BROKER_URL = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"
@@ -74,7 +71,10 @@ class CeleryConfig(object):
 
 CELERY_CONFIG = CeleryConfig
 SQLLAB_CTAS_NO_LIMIT = True
-PERMANENT_SESSION_LIFETIME = 86400
+
+# Session lifetime set to 86400 seconds (24 hours), which is a standard duration that balances security and user convenience.
+SECONDS_PER_DAY = 60 * 60 * 24  # Seconds per minute * minutes per hour * hours per day
+PERMANENT_SESSION_LIFETIME = SECONDS_PER_DAY
 
 class ReverseProxied(object):
 
@@ -95,7 +95,7 @@ def __call__(self, environ, start_response):
         return self.app(environ, start_response)
 
 
-ADDITIONAL_MIDDLEWARE = [ReverseProxied, ]
+ADDITIONAL_MIDDLEWARE = [ReverseProxied]
 ENABLE_PROXY_FIX = True
 
 # Enable the security manager API.
@@ -106,24 +106,28 @@ def __call__(self, environ, start_response):
     from security import CustomSecurityManager
     AUTH_ROLES_SYNC_AT_LOGIN = True
     AUTH_USER_REGISTRATION = True
-    AUTH_USER_REGISTRATION_ROLE = "Admin"
+    AUTH_USER_REGISTRATION_ROLE = "Gamma"
     CUSTOM_SECURITY_MANAGER = CustomSecurityManager
-    LOGOUT_REDIRECT_URL = os.environ.get("SUPERSET_URL")
+    LOGOUT_REDIRECT_URL = os.environ.get("SUPERSET_PUBLIC_URL")
     AUTH_TYPE = AUTH_OAUTH
     OAUTH_PROVIDERS = [
         {
             'name': 'keycloak',
-            'token_key': 'access_token',  # Name of the token in the response of access_token_url
-            'icon': 'fa-key',   # Icon for the provider
+            'token_key': 'access_token',
+            'icon': 'fa-key',
             'remote_app': {
-                'client_id': os.environ.get("SUPERSET_CLIENT_ID","superset"),  # Client Id (Identify Superset application)
-                'client_secret': os.environ.get("SUPERSET_CLIENT_SECRET"),  # Secret for this Client Id (Identify Superset application)
+                'client_id': os.environ.get("SUPERSET_CLIENT_ID","superset"),
+                'client_secret': os.environ.get("SUPERSET_CLIENT_SECRET"),
                 'api_base_url': os.environ.get("ISSUER_URL").rstrip('/') + "/protocol/openid-connect/",
                 'client_kwargs': {
                     'scope': 'openid profile email',
                 },
-                'logout_redirect_uri': os.environ.get("SUPERSET_URL"),
-                'server_metadata_url': os.environ.get("ISSUER_URL").rstrip('/') + '/.well-known/openid-configuration',  # URL to get metadata from
+                'request_token_params': {
+                    'code_challenge_method': 'S256'
+                },
+                'access_token_url': os.environ.get("ISSUER_URL").rstrip('/') + "/protocol/openid-connect/token",
+                'logout_redirect_uri': os.environ.get("SUPERSET_PUBLIC_URL"),
+                'server_metadata_url': os.environ.get("ISSUER_URL").rstrip('/') + '/.well-known/openid-configuration',
             }
         }
     ]