[
https://issues.apache.org/jira/browse/AIRFLOW-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16611651#comment-16611651
]
ASF GitHub Bot commented on AIRFLOW-3020:
-----------------------------------------
zeninpalm closed pull request #3859: [AIRFLOW-3020]LDAP Authentication doesn't
check whether a user belongs to a group correctly
URL: https://github.com/apache/incubator-airflow/pull/3859
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/contrib/auth/backends/ldap_auth.py
b/airflow/contrib/auth/backends/ldap_auth.py
index a949e89a77..a3bd0aaea0 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -74,7 +74,8 @@ def get_ldap_connection(dn=None, password=None):
return conn
-def group_contains_user(conn, search_base, group_filter, user_name_attr,
username):
+def user_groups_contain_target_group(conn, search_base, group_filter,
user_name_attr,
+ group_names_of_user):
search_filter = '(&({0}))'.format(group_filter)
if not conn.search(native(search_base), native(search_filter),
@@ -82,9 +83,10 @@ def group_contains_user(conn, search_base, group_filter,
user_name_attr, usernam
log.warning("Unable to find group for %s %s", search_base,
search_filter)
else:
for entry in conn.entries:
- if username.lower() in map(lambda attr: attr.lower(),
+ for name in group_names_of_user:
+ if name.lower() in map(lambda attr: attr.lower(),
getattr(entry, user_name_attr).values):
- return True
+ return True
return False
@@ -138,16 +140,30 @@ def __init__(self, user):
except AirflowConfigException:
pass
+ # Load the ldap group(s) a user belongs to
+ try:
+ self.ldap_groups = groups_user(
+ conn,
+ configuration.conf.get("ldap", "basedn"),
+ configuration.conf.get("ldap", "user_filter"),
+ configuration.conf.get("ldap", "user_name_attr"),
+ user.username
+ )
+ except AirflowConfigException:
+ log.debug("Missing configuration for ldap settings. Skipping")
+ self.ldap_groups = []
+
if not superuser_filter:
self.superuser = True
log.debug("Missing configuration for superuser settings or empty.
Skipping.")
else:
- self.superuser = group_contains_user(conn,
-
configuration.conf.get("ldap", "basedn"),
- superuser_filter,
- configuration.conf.get("ldap",
-
"user_name_attr"),
- user.username)
+ self.superuser = user_groups_contain_target_group(
+ conn,
+ configuration.conf.get("ldap", "basedn"),
+ superuser_filter,
+ configuration.conf.get("ldap",
+ "user_name_attr"),
+ self.ldap_groups)
try:
data_profiler_filter = configuration.conf.get("ldap",
"data_profiler_filter")
@@ -159,26 +175,16 @@ def __init__(self, user):
log.debug("Missing configuration for data profiler settings or
empty. "
"Skipping.")
else:
- self.data_profiler = group_contains_user(
+ self.data_profiler = user_groups_contain_target_group(
conn,
configuration.conf.get("ldap", "basedn"),
data_profiler_filter,
configuration.conf.get("ldap",
"user_name_attr"),
- user.username
+ self.ldap_groups
)
- # Load the ldap group(s) a user belongs to
- try:
- self.ldap_groups = groups_user(
- conn,
- configuration.conf.get("ldap", "basedn"),
- configuration.conf.get("ldap", "user_filter"),
- configuration.conf.get("ldap", "user_name_attr"),
- user.username
- )
- except AirflowConfigException:
- log.debug("Missing configuration for ldap settings. Skipping")
+
@staticmethod
def try_login(username, password):
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> LDAP Authentication doesn't check whether a user belongs to a group correctly
> -----------------------------------------------------------------------------
>
> Key: AIRFLOW-3020
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3020
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Affects Versions: 1.9.0, 1.10.0
> Reporter: Yi Wei
> Assignee: Yi Wei
> Priority: Major
>
> According to Airflow documentation at
> [https://airflow.apache.org/security.html#ldap,] to enable LDAP
> authentication, we should write airflow.cfg like this:
> [ldap]
> uri = ldap://XXX.YYY.org
> user_filter = objectClass=*
> user_name_attr = sAMAccountName
> superuser_filter = CN=XXX_Programmers
> bind_user = user_on_ldap
> bind_password = insecure
> basedn =OU=Some,DC=other,DC=org
> search_scope = SUBTREE
>
> But after enabling LDAP authentication, I just cannot log in with a superuser
> role. I double-checked my membership to the superuser groups and confirmed I
> belong to the specified group in 'superuser_filter', still Airflow won't
> recognize me as a superuser.
> So, I checked airflow/contrib/auth/backends/ldap_auth.py, the
> group_contains_user function doesn't work as I expected:
>
> This line:
> conn.search(native(search_base), native(search_filter),
> attributes=[native(user_name_attr)])
> it search the group and extracts the sAMAccountName attribute of the group,
> then:
> for entry in conn.entries:
> if user_name in getattr(entry, user_name_attr).values:
> return True
> the code snippet will never return True, because how can user_name occur in
> group_name anyway?
> Not sure if this issue only occurs in my company, please correct me if you
> have any suggestion.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
