You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Paul Greenberg (JIRA)" <ji...@apache.org> on 2019/07/18 03:36:00 UTC
[jira] [Created] (AIRFLOW-4987) ldap backend KeyError: 'attributes'
Paul Greenberg created AIRFLOW-4987:
---------------------------------------
Summary: ldap backend KeyError: 'attributes'
Key: AIRFLOW-4987
URL: https://issues.apache.org/jira/browse/AIRFLOW-4987
Project: Apache Airflow
Issue Type: Bug
Components: authentication
Affects Versions: 1.10.3
Reporter: Paul Greenberg
Prior to using LDAP, I used a local account `myadmin`.
When I switched to LDAP auth, when I browse to login page (non-authenticated), and `myadmin` is being checked against LDAP. It obviously fails ... however, it does it in a weird way.
{code}
Consider the following search filter. The `myadmin` does not exists in LDAP directory on a server (here Microsoft Active Directory AD).
```
'(&(objectClass=*)(sAMAccountName=myadmin))'
```
The server will respond. It will not return `None`. The following code will not be triggered.
```python
if not res:
log.info("Cannot find user %s", username)
raise AuthenticationError("Invalid username or password")
```
Instead, the server responds with the following object:
```
[{'type': 'searchResRef',
'uri': [u'ldaps://DomainDnsZones.EXAMPLE.ORG/DC=DomainDnsZones,DC=EXAMPLE,DC=ORG']},
{'type': 'searchResRef',
'uri': [u'ldaps://ForestDnsZones.EXAMPLE.ORG/DC=ForestDnsZones,DC=EXAMPLE,DC=ORG']},
{'type': 'searchResRef',
'uri': [u'ldaps://EXAMPLE.ORG/CN=Configuration,DC=EXAMPLE,DC=ORG']}]
```
At the below point the code raises `KeyError: 'attributes'` exception, because `attributes` is not in the first dictionary of the array:
https://github.com/apache/airflow/blob/master/airflow/contrib/auth/backends/ldap_auth.py#L111-L118
```
if conn.response and memberof_attr not in conn.response[0]["attributes"]:
log.warning("""Missing attribute "%s" when looked-up in Ldap database.
The user does not seem to be a member of a group and therefore won't see any dag
if the option filter_by_owner=True and owner_mode=ldapgroup are set""",
memberof_attr)
return []
```
{code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)