[jira] [Updated] (AIRFLOW-4770) Group Filter doesn't work on LDAP Integration for AD with large groups

[Christopher Carney (JIRA)]

     [ 
https://issues.apache.org/jira/browse/AIRFLOW-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christopher Carney updated AIRFLOW-4770:
----------------------------------------
    Component/s:     (was: security)

> Group Filter doesn't work on LDAP Integration for AD with large groups
> ----------------------------------------------------------------------
>
>                 Key: AIRFLOW-4770
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4770
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.10.3
>            Reporter: Christopher Carney
>            Priority: Major
>
> It seems as though group_filter under [ldap] in configuration isn't being 
> used properly by the search filter and is creating unnecessary work for the 
> webserver. As per documentation 
> ([https://airflow.apache.org/security.html#ldap]):
> user_name_attr = sAMAccountName
> group_member_attr = memberOf
> superuser_filter = 
> memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> Currently I am following this structure. Method groups_user in ldap_auth.py 
> correctly fetches all the groups a user belongs to by using this search 
> filter:
>  search_filter = "(&(\{0})(\{1}=\{2}))".format(user_filter, user_name_att, 
> username)
>  
> superuser_filter from airflow.cfg is used in method group_contains_user which 
> looks like it should be using the same filter style, however, uses this style 
> instead:
>  search_filter = '(&(\{0}))'.format(group_filter)
> This search filter isn't working for AD authentication *because for large 
> LDAP groups (enterprise sized) the AD server isn't returning all users*. By 
> manually changing the search filter to inclue user_name_attr and username (as 
> per groups_user):
>  search_filter = "(&(\{0})(\{1}=\{2}))".format(group_filter, user_name_attr, 
> username)
> The method is more efficiently allowing the LDAP server to do the querying. 
>  
> !https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fsecure%2FCreateIssue.jspa&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560267256755!
> !https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fbrowse%2FAIRFLOW-4770&t=1560268811409!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560268811410!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560268811411!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)