You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Yi Wei (JIRA)" <ji...@apache.org> on 2018/09/06 10:01:00 UTC
[jira] [Created] (AIRFLOW-3020) LDAP Authentication doesn't check
whether a user belongs to a group correctly
Yi Wei created AIRFLOW-3020:
-------------------------------
Summary: LDAP Authentication doesn't check whether a user belongs to a group correctly
Key: AIRFLOW-3020
URL: https://issues.apache.org/jira/browse/AIRFLOW-3020
Project: Apache Airflow
Issue Type: Bug
Components: authentication
Affects Versions: 1.10.0, 1.9.0
Reporter: Yi Wei
Assignee: Yi Wei
According to Airflow documentation at [https://airflow.apache.org/security.html#ldap,] to enable LDAP authentication, we should write airflow.cfg like this:
[ldap]
uri = ldap://XXX.YYY.org
user_filter = objectClass=*
user_name_attr = sAMAccountName
superuser_filter = CN=XXX_Programmers
bind_user = user_on_ldap
bind_password = insecure
basedn =OU=Some,DC=other,DC=org
search_scope = SUBTREE
But after enabling LDAP authentication, I just cannot log in with a superuser role. I double-checked my membership to the superuser groups and confirmed I belong to the specified group in 'superuser_filter', still Airflow won't recognize me as a superuser.
So, I checked airflow/contrib/auth/backends/ldap_auth.py, the group_contains_user function doesn't work as I expected:
This line:
conn.search(native(search_base), native(search_filter), attributes=[native(user_name_attr)])
it search the group and extracts the sAMAccountName attribute of the group, then:
for entry in conn.entries:
if user_name in getattr(entry, user_name_attr).values:
return True
the code snippet will never return True, because how can user_name occur in group_name anyway?
Not sure if this issue only occurs in my company, please correct me if you have any suggestion.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)