You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Christopher Carney (JIRA)" <ji...@apache.org> on 2019/06/11 17:15:00 UTC
[jira] [Commented] (AIRFLOW-4770) Group Filter doesn't work on LDAP
Integration for AD with large groups
[ https://issues.apache.org/jira/browse/AIRFLOW-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861229#comment-16861229 ]
Christopher Carney commented on AIRFLOW-4770:
---------------------------------------------
According to ldap3.Connection documentation:
"The _auto_range_ feature is very useful when searching Active Directory servers. When an Active Directory search returns more than 1000 entries this feature is automatically used by the server. So it can happens that your code works seamlessy until your data grow to exceed the 1000 entries limit and your code stops working properly without any apparent reason."
auto_range is default set to True but I am still only seeing 1000 records being returned. Even when explicitly setting conn.auto_range = True in ldap_auth.py still seeing this issue.
!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fbrowse%2FAIRFLOW-4770&t=1560273159841!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560273159841!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560273159842!
> Group Filter doesn't work on LDAP Integration for AD with large groups
> ----------------------------------------------------------------------
>
> Key: AIRFLOW-4770
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4770
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Affects Versions: 1.10.3
> Reporter: Christopher Carney
> Priority: Major
>
> It seems as though group_filter under [ldap] in configuration isn't being used properly by the search filter and is creating unnecessary work for the webserver. As per documentation ([https://airflow.apache.org/security.html#ldap]):
> user_name_attr = sAMAccountName
> group_member_attr = memberOf
> superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> Currently I am following this structure. Method groups_user in ldap_auth.py correctly fetches all the groups a user belongs to by using this search filter:
> search_filter = "(&(\{0})(\{1}=\{2}))".format(user_filter, user_name_att, username)
>
> superuser_filter from airflow.cfg is used in method group_contains_user which looks like it should be using the same filter style, however, uses this style instead:
> search_filter = '(&(\{0}))'.format(group_filter)
> This search filter isn't working for AD authentication *because for large LDAP groups (enterprise sized) the AD server isn't returning all users*. By manually changing the search filter to inclue user_name_attr and username (as per groups_user):
> search_filter = "(&(\{0})(\{1}=\{2}))".format(group_filter, user_name_attr, username)
> The method is more efficiently allowing the LDAP server to do the querying.
>
> !https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fsecure%2FCreateIssue.jspa&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560267256755!
> !https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fbrowse%2FAIRFLOW-4770&t=1560268811409!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560268811410!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560268811411!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)