You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Paul Greenberg (JIRA)" <ji...@apache.org> on 2019/07/18 03:36:00 UTC

[jira] [Created] (AIRFLOW-4987) ldap backend KeyError: 'attributes'

Paul Greenberg created AIRFLOW-4987:
---------------------------------------

             Summary: ldap backend KeyError: 'attributes'
                 Key: AIRFLOW-4987
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4987
             Project: Apache Airflow
          Issue Type: Bug
          Components: authentication
    Affects Versions: 1.10.3
            Reporter: Paul Greenberg


Prior to using LDAP, I used a local account `myadmin`.

When I switched to LDAP auth, when I browse to login page (non-authenticated), and `myadmin` is being checked against LDAP. It obviously fails ... however, it does it in a weird way.


{code}
Consider the following search filter. The `myadmin` does not exists in LDAP directory on a server (here Microsoft Active Directory AD).

```
'(&(objectClass=*)(sAMAccountName=myadmin))'
```

The server will respond. It will not return `None`. The following code will not be triggered.

```python
    if not res:
        log.info("Cannot find user %s", username)
        raise AuthenticationError("Invalid username or password")
```

Instead, the server responds with the following object:

```
[{'type': 'searchResRef',
'uri': [u'ldaps://DomainDnsZones.EXAMPLE.ORG/DC=DomainDnsZones,DC=EXAMPLE,DC=ORG']},
{'type': 'searchResRef',
'uri': [u'ldaps://ForestDnsZones.EXAMPLE.ORG/DC=ForestDnsZones,DC=EXAMPLE,DC=ORG']},
{'type': 'searchResRef',
'uri': [u'ldaps://EXAMPLE.ORG/CN=Configuration,DC=EXAMPLE,DC=ORG']}]
```

At the below point the code raises `KeyError: 'attributes'` exception, because `attributes` is not in the first dictionary of the array:

https://github.com/apache/airflow/blob/master/airflow/contrib/auth/backends/ldap_auth.py#L111-L118

```
    if conn.response and memberof_attr not in conn.response[0]["attributes"]:
        log.warning("""Missing attribute "%s" when looked-up in Ldap database.
        The user does not seem to be a member of a group and therefore won't see any dag
        if the option filter_by_owner=True and owner_mode=ldapgroup are set""",
                    memberof_attr)
        return []
```
{code}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)