You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by bo...@apache.org on 2017/10/21 12:22:01 UTC
incubator-airflow git commit: [AIRFLOW-1743] Verify ldap filters
correctly
Repository: incubator-airflow
Updated Branches:
refs/heads/master ca961042c -> 16899a95b
[AIRFLOW-1743] Verify ldap filters correctly
The superuser and data profiler filter where set
by default
in the config template and could not be unset.
Closes #2712 from bolkedebruin/AIRFLOW-1743
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/16899a95
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/16899a95
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/16899a95
Branch: refs/heads/master
Commit: 16899a95b5cf08d1053892c532f4b494b2f7d0cc
Parents: ca96104
Author: Bolke de Bruin <bo...@xs4all.nl>
Authored: Sat Oct 21 14:21:54 2017 +0200
Committer: Bolke de Bruin <bo...@xs4all.nl>
Committed: Sat Oct 21 14:21:54 2017 +0200
----------------------------------------------------------------------
airflow/config_templates/default_airflow.cfg | 7 ++--
airflow/contrib/auth/backends/ldap_auth.py | 42 ++++++++++++++++-------
2 files changed, 34 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/16899a95/airflow/config_templates/default_airflow.cfg
----------------------------------------------------------------------
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index fe20261..9166979 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -369,12 +369,13 @@ max_threads = 2
authenticate = False
[ldap]
-uri = ldaps://<your.ldap.server>:<port>
+# set this to ldaps://<your.ldap.server>:<port>
+uri =
user_filter = objectClass=*
user_name_attr = uid
group_member_attr = memberOf
-superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
-data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+superuser_filter =
+data_profiler_filter =
bind_user = cn=Manager,dc=example,dc=com
bind_password = insecure
basedn = dc=example,dc=com
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/16899a95/airflow/contrib/auth/backends/ldap_auth.py
----------------------------------------------------------------------
diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
index b056851..df29de3 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -93,7 +93,8 @@ def groups_user(conn, search_base, user_filter, user_name_att, username):
memberof_attr = configuration.get("ldap", "group_member_attr")
except:
memberof_attr = "memberOf"
- res = conn.search(native(search_base), native(search_filter), attributes=[native(memberof_attr)])
+ res = conn.search(native(search_base), native(search_filter),
+ attributes=[native(memberof_attr)])
if not res:
log.info("Cannot find user %s", username)
raise AuthenticationError("Invalid username or password")
@@ -101,7 +102,8 @@ def groups_user(conn, search_base, user_filter, user_name_att, username):
if conn.response and memberof_attr not in conn.response[0]["attributes"]:
log.warning("""Missing attribute "%s" when looked-up in Ldap database.
The user does not seem to be a member of a group and therefore won't see any dag
- if the option filter_by_owner=True and owner_mode=ldapgroup are set""", memberof_attr)
+ if the option filter_by_owner=True and owner_mode=ldapgroup are set""",
+ memberof_attr)
return []
user_groups = conn.response[0]["attributes"][memberof_attr]
@@ -126,25 +128,41 @@ class LdapUser(models.User):
# Load and cache superuser and data_profiler settings.
conn = get_ldap_connection(configuration.get("ldap", "bind_user"),
configuration.get("ldap", "bind_password"))
+
+ superuser_filter = None
+ data_profiler_filter = None
try:
+ superuser_filter = configuration.get("ldap", "superuser_filter")
+ except AirflowConfigException:
+ pass
+
+ if not superuser_filter:
+ self.superuser = True
+ log.debug("Missing configuration for superuser settings or empty. Skipping.")
+ else:
self.superuser = group_contains_user(conn,
configuration.get("ldap", "basedn"),
- configuration.get("ldap", "superuser_filter"),
- configuration.get("ldap", "user_name_attr"),
+ superuser_filter,
+ configuration.get("ldap",
+ "user_name_attr"),
user.username)
- except AirflowConfigException:
- self.superuser = True
- log.debug("Missing configuration for superuser settings. Skipping.")
try:
+ data_profiler_filter = configuration.get("ldap", "data_profiler_filter")
+ except AirflowConfigException:
+ pass
+
+ if not data_profiler_filter:
+ self.data_profiler = True
+ log.debug("Missing configuration for data profiler settings or empty. "
+ "Skipping.")
+ else:
self.data_profiler = group_contains_user(conn,
configuration.get("ldap", "basedn"),
- configuration.get("ldap", "data_profiler_filter"),
- configuration.get("ldap", "user_name_attr"),
+ data_profiler_filter,
+ configuration.get("ldap",
+ "user_name_attr"),
user.username)
- except AirflowConfigException:
- self.data_profiler = True
- log.debug("Missing configuration for dataprofiler settings. Skipping")
# Load the ldap group(s) a user belongs to
try: