[ https://issues.apache.org/jira/browse/AIRFLOW-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16611651#comment-16611651 ]
ASF GitHub Bot commented on AIRFLOW-3020: ----------------------------------------- zeninpalm closed pull request #3859: [AIRFLOW-3020]LDAP Authentication doesn't check whether a user belongs to a group correctly URL: https://github.com/apache/incubator-airflow/pull/3859 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py index a949e89a77..a3bd0aaea0 100644 --- a/airflow/contrib/auth/backends/ldap_auth.py +++ b/airflow/contrib/auth/backends/ldap_auth.py @@ -74,7 +74,8 @@ def get_ldap_connection(dn=None, password=None): return conn -def group_contains_user(conn, search_base, group_filter, user_name_attr, username): +def user_groups_contain_target_group(conn, search_base, group_filter, user_name_attr, + group_names_of_user): search_filter = '(&({0}))'.format(group_filter) if not conn.search(native(search_base), native(search_filter), @@ -82,9 +83,10 @@ def group_contains_user(conn, search_base, group_filter, user_name_attr, usernam log.warning("Unable to find group for %s %s", search_base, search_filter) else: for entry in conn.entries: - if username.lower() in map(lambda attr: attr.lower(), + for name in group_names_of_user: + if name.lower() in map(lambda attr: attr.lower(), getattr(entry, user_name_attr).values): - return True + return True return False @@ -138,16 +140,30 @@ def __init__(self, user): except AirflowConfigException: pass + # Load the ldap group(s) a user belongs to + try: + self.ldap_groups = groups_user( + conn, + configuration.conf.get("ldap", "basedn"), + configuration.conf.get("ldap", "user_filter"), + configuration.conf.get("ldap", "user_name_attr"), + user.username + ) + except AirflowConfigException: + log.debug("Missing configuration for ldap settings. Skipping") + self.ldap_groups = [] + if not superuser_filter: self.superuser = True log.debug("Missing configuration for superuser settings or empty. Skipping.") else: - self.superuser = group_contains_user(conn, - configuration.conf.get("ldap", "basedn"), - superuser_filter, - configuration.conf.get("ldap", - "user_name_attr"), - user.username) + self.superuser = user_groups_contain_target_group( + conn, + configuration.conf.get("ldap", "basedn"), + superuser_filter, + configuration.conf.get("ldap", + "user_name_attr"), + self.ldap_groups) try: data_profiler_filter = configuration.conf.get("ldap", "data_profiler_filter") @@ -159,26 +175,16 @@ def __init__(self, user): log.debug("Missing configuration for data profiler settings or empty. " "Skipping.") else: - self.data_profiler = group_contains_user( + self.data_profiler = user_groups_contain_target_group( conn, configuration.conf.get("ldap", "basedn"), data_profiler_filter, configuration.conf.get("ldap", "user_name_attr"), - user.username + self.ldap_groups ) - # Load the ldap group(s) a user belongs to - try: - self.ldap_groups = groups_user( - conn, - configuration.conf.get("ldap", "basedn"), - configuration.conf.get("ldap", "user_filter"), - configuration.conf.get("ldap", "user_name_attr"), - user.username - ) - except AirflowConfigException: - log.debug("Missing configuration for ldap settings. Skipping") + @staticmethod def try_login(username, password): ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > LDAP Authentication doesn't check whether a user belongs to a group correctly > ----------------------------------------------------------------------------- > > Key: AIRFLOW-3020 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3020 > Project: Apache Airflow > Issue Type: Bug > Components: authentication > Affects Versions: 1.9.0, 1.10.0 > Reporter: Yi Wei > Assignee: Yi Wei > Priority: Major > > According to Airflow documentation at > [https://airflow.apache.org/security.html#ldap,] to enable LDAP > authentication, we should write airflow.cfg like this: > [ldap] > uri = ldap://XXX.YYY.org > user_filter = objectClass=* > user_name_attr = sAMAccountName > superuser_filter = CN=XXX_Programmers > bind_user = user_on_ldap > bind_password = insecure > basedn =OU=Some,DC=other,DC=org > search_scope = SUBTREE > > But after enabling LDAP authentication, I just cannot log in with a superuser > role. I double-checked my membership to the superuser groups and confirmed I > belong to the specified group in 'superuser_filter', still Airflow won't > recognize me as a superuser. > So, I checked airflow/contrib/auth/backends/ldap_auth.py, the > group_contains_user function doesn't work as I expected: > > This line: > conn.search(native(search_base), native(search_filter), > attributes=[native(user_name_attr)]) > it search the group and extracts the sAMAccountName attribute of the group, > then: > for entry in conn.entries: > if user_name in getattr(entry, user_name_attr).values: > return True > the code snippet will never return True, because how can user_name occur in > group_name anyway? > Not sure if this issue only occurs in my company, please correct me if you > have any suggestion. -- This message was sent by Atlassian JIRA (v7.6.3#76005)