[ https://issues.apache.org/jira/browse/AIRFLOW-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16606630#comment-16606630 ]
ASF GitHub Bot commented on AIRFLOW-3020: ----------------------------------------- zeninpalm opened a new pull request #3859: [AIRFLOW-3020]LDAP Authentication doesn't check whether a user belongs to a group correctly URL: https://github.com/apache/incubator-airflow/pull/3859 …ler in LDAP Make sure you have checked _all_ steps below. ### Jira - [ ] My PR addresses the following [Airflow Jira](https://issues.apache.org/jira/browse/AIRFLOW/) issues and references them in the PR title. For example, "\[AIRFLOW-XXX\] My Airflow PR" - https://issues.apache.org/jira/browse/AIRFLOW-3020 - In case you are fixing a typo in the documentation you can prepend your commit with \[AIRFLOW-XXX\], code changes always need a Jira issue. ### Description - [ ] Here are some details about my PR, including screenshots of any UI changes: ### Tests - [ ] My PR adds the following unit tests __OR__ does not need testing for this extremely good reason: ### Commits - [ ] My commits all reference Jira issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)": 1. Subject is separated from body by a blank line 1. Subject is limited to 50 characters (not including Jira issue reference) 1. Subject does not end with a period 1. Subject uses the imperative mood ("add", not "adding") 1. Body wraps at 72 characters 1. Body explains "what" and "why", not "how" ### Documentation - [ ] In case of new functionality, my PR adds documentation that describes how to use it. - When adding new operators/hooks/sensors, the autoclass documentation generation needs to be added. ### Code Quality - [ ] Passes `git diff upstream/master -u -- "*.py" | flake8 --diff` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > LDAP Authentication doesn't check whether a user belongs to a group correctly > ----------------------------------------------------------------------------- > > Key: AIRFLOW-3020 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3020 > Project: Apache Airflow > Issue Type: Bug > Components: authentication > Affects Versions: 1.9.0, 1.10.0 > Reporter: Yi Wei > Assignee: Yi Wei > Priority: Major > > According to Airflow documentation at > [https://airflow.apache.org/security.html#ldap,] to enable LDAP > authentication, we should write airflow.cfg like this: > [ldap] > uri = ldap://XXX.YYY.org > user_filter = objectClass=* > user_name_attr = sAMAccountName > superuser_filter = CN=XXX_Programmers > bind_user = user_on_ldap > bind_password = insecure > basedn =OU=Some,DC=other,DC=org > search_scope = SUBTREE > > But after enabling LDAP authentication, I just cannot log in with a superuser > role. I double-checked my membership to the superuser groups and confirmed I > belong to the specified group in 'superuser_filter', still Airflow won't > recognize me as a superuser. > So, I checked airflow/contrib/auth/backends/ldap_auth.py, the > group_contains_user function doesn't work as I expected: > > This line: > conn.search(native(search_base), native(search_filter), > attributes=[native(user_name_attr)]) > it search the group and extracts the sAMAccountName attribute of the group, > then: > for entry in conn.entries: > if user_name in getattr(entry, user_name_attr).values: > return True > the code snippet will never return True, because how can user_name occur in > group_name anyway? > Not sure if this issue only occurs in my company, please correct me if you > have any suggestion. -- This message was sent by Atlassian JIRA (v7.6.3#76005)