Work with SPS Team to Figure out how to use/access JWT token to get Roles

[galenatjpl]

SPS Team has settled on an approach to get to the Airflow endpoint/service via the SS proxy (MDPS URL), and has got rid of their internal credentials check. They want to still be able to figure out what roles (i.e. Cognito user groups) are associated with the user that has accessed their Airflow service.
Integrate a script or some other means that will allow them to access roles presumably from the JWT token.

mod_auth_openidc adds request headers that represent the Cognito groups (one CSV header).

Acceptance Criteria:

• Inspect network traffic to Airflow, to make sure headers are passed in
• SPS Team is confident that they can use information passed to them about roles, in the future.

[galenatjpl]

Hi @nikki-t and @LucaCinquini . @ramesh-maddegoda will work on this ticket to help figure out your need to get the user roles.

[ramesh-maddegoda]

I tested a custom implementation of a FabAirflowSecurityManagerOverride class in webserver_config.py and I was able to map Unity Cognito user groups with Airflow user groups.

Please see the screenshots from my local Airflow setup. (Note: Currently this is a local implementation, but we can try the same approach on MCP too).

1. First I logged in to into a website hidden behind Unity HTTPD using an incognito browser window.(It can be Airflow, Management Console or Stac browser). This will ask for Cognito username and password.

2. After that, I used the same web browser to visit the Airflow in hosted in my localhost. Please note that it is not showing the Cognito login page again, because I have already logged in (more like Single Sign On) and the Cognito session is stored in web browser. It only shows a button telling "Sign In with Cognito".

3. After I clicked the "Sign In with Cognito", button, it directed me to local Airflow (no duplicate login required).

4. Please note the "Security Menu" in Airflow. That menu is there because I have both "Unity_Admin" and "Unity_Viewer" Cognito user groups.

5. After that I removed my "Unity_Admin" Cognito user group in Cognito user pool and only kept "Unity_Viewer" .

6. Then I logged in to Airflow again by following steps 1 to 3.

7. Please note that this type the "security" menu is not visible, because now Airflow reciognise my Unity_Viewer Cognito user group as a Airflow Viewer role.