[ 
https://issues.apache.org/jira/browse/AIRFLOW-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16606630#comment-16606630
 ] 

ASF GitHub Bot commented on AIRFLOW-3020:
-----------------------------------------

zeninpalm opened a new pull request #3859: [AIRFLOW-3020]LDAP Authentication 
doesn't check whether a user belongs to a group correctly
URL: https://github.com/apache/incubator-airflow/pull/3859
 
 
   …ler in LDAP
   
   Make sure you have checked _all_ steps below.
   
   ### Jira
   
   - [ ] My PR addresses the following [Airflow 
Jira](https://issues.apache.org/jira/browse/AIRFLOW/) issues and references 
them in the PR title. For example, "\[AIRFLOW-XXX\] My Airflow PR"
     - https://issues.apache.org/jira/browse/AIRFLOW-3020
     - In case you are fixing a typo in the documentation you can prepend your 
commit with \[AIRFLOW-XXX\], code changes always need a Jira issue.
   
   ### Description
   
   - [ ] Here are some details about my PR, including screenshots of any UI 
changes:
   
   ### Tests
   
   - [ ] My PR adds the following unit tests __OR__ does not need testing for 
this extremely good reason:
   
   ### Commits
   
   - [ ] My commits all reference Jira issues in their subject lines, and I 
have squashed multiple commits if they address the same issue. In addition, my 
commits follow the guidelines from "[How to write a good git commit 
message](http://chris.beams.io/posts/git-commit/)":
     1. Subject is separated from body by a blank line
     1. Subject is limited to 50 characters (not including Jira issue reference)
     1. Subject does not end with a period
     1. Subject uses the imperative mood ("add", not "adding")
     1. Body wraps at 72 characters
     1. Body explains "what" and "why", not "how"
   
   ### Documentation
   
   - [ ] In case of new functionality, my PR adds documentation that describes 
how to use it.
     - When adding new operators/hooks/sensors, the autoclass documentation 
generation needs to be added.
   
   ### Code Quality
   
   - [ ] Passes `git diff upstream/master -u -- "*.py" | flake8 --diff`
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> LDAP Authentication doesn't check whether a user belongs to a group correctly
> -----------------------------------------------------------------------------
>
>                 Key: AIRFLOW-3020
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3020
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.9.0, 1.10.0
>            Reporter: Yi Wei
>            Assignee: Yi Wei
>            Priority: Major
>
> According to Airflow documentation at 
> [https://airflow.apache.org/security.html#ldap,] to enable LDAP 
> authentication, we should write airflow.cfg like this:
> [ldap]
> uri = ldap://XXX.YYY.org
> user_filter = objectClass=*
> user_name_attr = sAMAccountName
> superuser_filter = CN=XXX_Programmers
> bind_user = user_on_ldap
> bind_password = insecure
> basedn =OU=Some,DC=other,DC=org
> search_scope = SUBTREE
>  
> But after enabling LDAP authentication, I just cannot log in with a superuser 
> role. I double-checked my membership to the superuser groups and confirmed I 
> belong to the specified group in 'superuser_filter', still Airflow won't 
> recognize me as a superuser.
> So, I checked airflow/contrib/auth/backends/ldap_auth.py, the 
> group_contains_user function doesn't work as I expected:
>  
> This line:
> conn.search(native(search_base), native(search_filter), 
> attributes=[native(user_name_attr)])
> it search the group and extracts the sAMAccountName attribute of the group, 
> then:
>  for entry in conn.entries:
>   if user_name in getattr(entry, user_name_attr).values:
>      return True
> the code snippet will never return True, because how can user_name occur in 
> group_name anyway? 
> Not sure if this issue only occurs in my company, please correct me if you 
> have any suggestion.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to