You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "peter pang (JIRA)" <ji...@apache.org> on 2016/07/22 01:48:20 UTC

[jira] [Updated] (AIRFLOW-352) filter_by_owner is not working when use ldap authentication

     [ https://issues.apache.org/jira/browse/AIRFLOW-352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

peter pang updated AIRFLOW-352:
-------------------------------
    Description: 
I set airflow.cfg as follows:
{noformat}
[webserver]
filter_by_owner = True
authenticate = TRUE
auth_backend = airflow.contrib.auth.backends.ldap_auth

[ldap]
uri = ldap://xx.xx.xx.xx
user_filter = objectClass=*
user_name_attr = uid
superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
bind_user = cn=admin,dc=example,dc=com
bind_password = secret
basedn = dc=example,dc=com
cacert = /etc/ca/ldap_ca.crt
search_scope=SUBTREE
{noformat}

then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the  filter_by_owner setting is not working.

Debug into the views.py --> class HomeView(AdminIndexView):
{color:red}current_user.username{color} always get{color:red} "None"{color}. It seems we can't get username directly.

so , continue debug into the ldap_auth.py --> class LdapUser(models.User):
I added a method to return username   
{code}
 def get_username(self):
        return self.user.username
{code}

then back to view.py  , replace 'current_user.username' to {color:red}'current_user.get_username()'{color} , the user filter can work now!

I don't know exactly why, but the modification can work...



  was:
I set airflow.cfg as follows:

[webserver]
filter_by_owner = True
authenticate = TRUE
auth_backend = airflow.contrib.auth.backends.ldap_auth

[ldap]
uri = ldap://xx.xx.xx.xx
user_filter = objectClass=*
user_name_attr = uid
superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
bind_user = cn=admin,dc=example,dc=com
bind_password = secret
basedn = dc=example,dc=com
cacert = /etc/ca/ldap_ca.crt
search_scope=SUBTREE

then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the  filter_by_owner setting is not working.

Debug into the views.py --> class HomeView(AdminIndexView):
current_user.username always return "None". It seems we can't get username directly.

so , continue debug into the ldap_auth.py --> class LdapUser(models.User):
I added a method to return username   

 def get_username(self):
        return self.user.username

then back to view.py  , replace 'current_user.username' to 'current_user.get_username()' , the user filter can work now!

I don't know exactly why, but the modification can work...




> filter_by_owner is not working when use ldap authentication
> -----------------------------------------------------------
>
>                 Key: AIRFLOW-352
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-352
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: contrib, security, webserver
>    Affects Versions: Airflow 1.7.1.3
>         Environment: ubuntu 14.04 LTS ,  ldap without encryption 
>            Reporter: peter pang
>              Labels: security
>
> I set airflow.cfg as follows:
> {noformat}
> [webserver]
> filter_by_owner = True
> authenticate = TRUE
> auth_backend = airflow.contrib.auth.backends.ldap_auth
> [ldap]
> uri = ldap://xx.xx.xx.xx
> user_filter = objectClass=*
> user_name_attr = uid
> superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> bind_user = cn=admin,dc=example,dc=com
> bind_password = secret
> basedn = dc=example,dc=com
> cacert = /etc/ca/ldap_ca.crt
> search_scope=SUBTREE
> {noformat}
> then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the  filter_by_owner setting is not working.
> Debug into the views.py --> class HomeView(AdminIndexView):
> {color:red}current_user.username{color} always get{color:red} "None"{color}. It seems we can't get username directly.
> so , continue debug into the ldap_auth.py --> class LdapUser(models.User):
> I added a method to return username   
> {code}
>  def get_username(self):
>         return self.user.username
> {code}
> then back to view.py  , replace 'current_user.username' to {color:red}'current_user.get_username()'{color} , the user filter can work now!
> I don't know exactly why, but the modification can work...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)