potiuk commented on pull request #18670: URL: https://github.com/apache/airflow/pull/18670#issuecomment-934234962
> > but being able to access Airflow is not determined by belonging to a certain LDAP group - but by presence of the user entry in Airflow DB) > > That is not the case. If the user is not found in LDAP the DB is tried. > > https://github.com/apache/airflow/blob/866a601b76e219b3c043e1dbbc8fb22300866351/airflow/api/auth/backend/basic_auth.py#L43-L47 > > This means that (when that API backend is in use) I can create a user only in the Airflow DB and authenticate to the API with it. I see there is a fallback, but seems those are two different cases. The case I mentioned (and one that would work as I expected) is that the user also exists in LDAP (At least that was what I understand from what user experience was). For me it looks like the right behaviour to allow the case I described and do not allow LDAP_DB_AUTH (which is indeed the fallback case) would be to only allow to create user in the DB if It also exists in LDAP. That would nicely: * handle the case when you do not want to turn self-registration on * will not allow to craeate users if they are not-existing in LDAP * will keep central authentication in LDAP while also allow to configure authorization in Airflow. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
