You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "peter pang (JIRA)" <ji...@apache.org> on 2016/07/22 01:48:20 UTC
[jira] [Updated] (AIRFLOW-352) filter_by_owner is not working when
use ldap authentication
[ https://issues.apache.org/jira/browse/AIRFLOW-352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
peter pang updated AIRFLOW-352:
-------------------------------
Description:
I set airflow.cfg as follows:
{noformat}
[webserver]
filter_by_owner = True
authenticate = TRUE
auth_backend = airflow.contrib.auth.backends.ldap_auth
[ldap]
uri = ldap://xx.xx.xx.xx
user_filter = objectClass=*
user_name_attr = uid
superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
bind_user = cn=admin,dc=example,dc=com
bind_password = secret
basedn = dc=example,dc=com
cacert = /etc/ca/ldap_ca.crt
search_scope=SUBTREE
{noformat}
then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the filter_by_owner setting is not working.
Debug into the views.py --> class HomeView(AdminIndexView):
{color:red}current_user.username{color} always get{color:red} "None"{color}. It seems we can't get username directly.
so , continue debug into the ldap_auth.py --> class LdapUser(models.User):
I added a method to return username
{code}
def get_username(self):
return self.user.username
{code}
then back to view.py , replace 'current_user.username' to {color:red}'current_user.get_username()'{color} , the user filter can work now!
I don't know exactly why, but the modification can work...
was:
I set airflow.cfg as follows:
[webserver]
filter_by_owner = True
authenticate = TRUE
auth_backend = airflow.contrib.auth.backends.ldap_auth
[ldap]
uri = ldap://xx.xx.xx.xx
user_filter = objectClass=*
user_name_attr = uid
superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
bind_user = cn=admin,dc=example,dc=com
bind_password = secret
basedn = dc=example,dc=com
cacert = /etc/ca/ldap_ca.crt
search_scope=SUBTREE
then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the filter_by_owner setting is not working.
Debug into the views.py --> class HomeView(AdminIndexView):
current_user.username always return "None". It seems we can't get username directly.
so , continue debug into the ldap_auth.py --> class LdapUser(models.User):
I added a method to return username
def get_username(self):
return self.user.username
then back to view.py , replace 'current_user.username' to 'current_user.get_username()' , the user filter can work now!
I don't know exactly why, but the modification can work...
> filter_by_owner is not working when use ldap authentication
> -----------------------------------------------------------
>
> Key: AIRFLOW-352
> URL: https://issues.apache.org/jira/browse/AIRFLOW-352
> Project: Apache Airflow
> Issue Type: Bug
> Components: contrib, security, webserver
> Affects Versions: Airflow 1.7.1.3
> Environment: ubuntu 14.04 LTS , ldap without encryption
> Reporter: peter pang
> Labels: security
>
> I set airflow.cfg as follows:
> {noformat}
> [webserver]
> filter_by_owner = True
> authenticate = TRUE
> auth_backend = airflow.contrib.auth.backends.ldap_auth
> [ldap]
> uri = ldap://xx.xx.xx.xx
> user_filter = objectClass=*
> user_name_attr = uid
> superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> bind_user = cn=admin,dc=example,dc=com
> bind_password = secret
> basedn = dc=example,dc=com
> cacert = /etc/ca/ldap_ca.crt
> search_scope=SUBTREE
> {noformat}
> then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the filter_by_owner setting is not working.
> Debug into the views.py --> class HomeView(AdminIndexView):
> {color:red}current_user.username{color} always get{color:red} "None"{color}. It seems we can't get username directly.
> so , continue debug into the ldap_auth.py --> class LdapUser(models.User):
> I added a method to return username
> {code}
> def get_username(self):
> return self.user.username
> {code}
> then back to view.py , replace 'current_user.username' to {color:red}'current_user.get_username()'{color} , the user filter can work now!
> I don't know exactly why, but the modification can work...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)