You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Id Agnostic (JIRA)" <ji...@apache.org> on 2017/07/19 08:46:00 UTC

[jira] [Created] (AIRFLOW-1427) AD groups are ignored in Airflow UI

Id Agnostic created AIRFLOW-1427:
------------------------------------

             Summary: AD groups are ignored in Airflow UI
                 Key: AIRFLOW-1427
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1427
             Project: Apache Airflow
          Issue Type: Bug
          Components: ui
    Affects Versions: 1.8.1
            Reporter: Id Agnostic


Airflow currently has 3 profiles configurations available trough airflow.cfg:
1. none
2. superusers (ldap/superuser_filter)
3. data_profiler (ldap/data_profiler_filter)

When enabling LDAP auth and assigning different profiles to different AD groups, these profiles are not enforced in the UI.

For example, having the following configuration:

[ldap]
...
user_filter = |(memberOf=CN=Group1,OU=Security Groups,OU=MANAGED OBJECTS,dc=corp,dc=mydc,dc=com)(memberOf=CN=Group2,OU=Security Groups,OU=MANAGED OBJECTS,dc=corp,dc=mydc,dc=com)
superuser_filter = memberOf=CN=Group1,OU=Security Groups,OU=MANAGED OBJECTS,dc=corp,dc=mydc,dc=com
data_profiler_filter = memberOf=CN=Group2,OU=Security Groups,OU=MANAGED OBJECTS,dc=corp,dc=mydc,dc=com
...

will cause users from both Group1 and Group2 to have the same limited UI access to the following menus: DAGS, Browse and Docs.

However, when using one filter at a time (either one of the superuser_filter or data_profiler_filter parameters) the functionality is as expected.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)