You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Paul Greenberg (JIRA)" <ji...@apache.org> on 2019/07/18 03:54:00 UTC
[jira] [Comment Edited] (AIRFLOW-4987) ldap backend KeyError:
'attributes'
[ https://issues.apache.org/jira/browse/AIRFLOW-4987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887583#comment-16887583 ]
Paul Greenberg edited comment on AIRFLOW-4987 at 7/18/19 3:53 AM:
------------------------------------------------------------------
I tried solving this by returning an empty array.
{code:java}
if conn.response:
if "attributes" not in conn.response[0]:
log.warning("""Ldap database did not return attributes,
but returned "%s" instead, search_filter="%s".""",
conn.response, search_filter)
raise AuthenticationError("Ldap Server Error")
if conn.response and memberof_attr not in conn.response[0]["attributes"]:
log.warning("""Missing attribute "%s" when looked-up in Ldap database.
The user does not seem to be a member of a group and therefore won't see any dag
if the option filter_by_owner=True and owner_mode=ldapgroup are set""",
memberof_attr)
return []
{code}
However, when I returned `[]`, the airflow webserver granted me access without authentication.
was (Author: greenpau):
I tried solving this by returning an empty array.
{code:java}
if conn.response:
if "attributes" not in conn.response[0]:
log.warning("""Ldap database did not return attributes,
but returned "%s" instead, search_filter="%s".""",
conn.response, search_filter)
return []
if conn.response and memberof_attr not in conn.response[0]["attributes"]:
log.warning("""Missing attribute "%s" when looked-up in Ldap database.
The user does not seem to be a member of a group and therefore won't see any dag
if the option filter_by_owner=True and owner_mode=ldapgroup are set""",
memberof_attr)
return []
{code}
However, when I returned `[]`, the airflow webserver granted me access without authentication.
> ldap backend KeyError: 'attributes'
> -----------------------------------
>
> Key: AIRFLOW-4987
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4987
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Affects Versions: 1.10.3
> Reporter: Paul Greenberg
> Priority: Major
>
> Prior to using LDAP, I used a local account `myadmin`.
> When I switched to LDAP auth, when I browse to login page (non-authenticated), and `myadmin` is being checked against LDAP. It obviously fails ... however, it does it in a weird way.
> {code}
> Consider the following search filter. The `myadmin` does not exists in LDAP directory on a server (here Microsoft Active Directory AD).
> ```
> '(&(objectClass=*)(sAMAccountName=myadmin))'
> ```
> The server will respond. It will not return `None`. The following code will not be triggered.
> ```python
> if not res:
> log.info("Cannot find user %s", username)
> raise AuthenticationError("Invalid username or password")
> ```
> Instead, the server responds with the following object:
> ```
> [{'type': 'searchResRef',
> 'uri': [u'ldaps://DomainDnsZones.EXAMPLE.ORG/DC=DomainDnsZones,DC=EXAMPLE,DC=ORG']},
> {'type': 'searchResRef',
> 'uri': [u'ldaps://ForestDnsZones.EXAMPLE.ORG/DC=ForestDnsZones,DC=EXAMPLE,DC=ORG']},
> {'type': 'searchResRef',
> 'uri': [u'ldaps://EXAMPLE.ORG/CN=Configuration,DC=EXAMPLE,DC=ORG']}]
> ```
> At the below point the code raises `KeyError: 'attributes'` exception, because `attributes` is not in the first dictionary of the array:
> https://github.com/apache/airflow/blob/master/airflow/contrib/auth/backends/ldap_auth.py#L111-L118
> ```
> if conn.response and memberof_attr not in conn.response[0]["attributes"]:
> log.warning("""Missing attribute "%s" when looked-up in Ldap database.
> The user does not seem to be a member of a group and therefore won't see any dag
> if the option filter_by_owner=True and owner_mode=ldapgroup are set""",
> memberof_attr)
> return []
> ```
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)