[jira] [Created] (AIRFLOW-5019) Group membership retrieval failure based on memberOf virtual attribute

Mon, 22 Jul 2019 11:32:08 -0700 

Destiny created AIRFLOW-5019:
--------------------------------

             Summary: Group membership retrieval failure based on memberOf 
virtual attribute
                 Key: AIRFLOW-5019
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-5019
             Project: Apache Airflow
          Issue Type: Bug
          Components: security
    Affects Versions: 1.10.3
            Reporter: Destiny


We have configured Okta LDAP authentication for Apache Airflow. User 
successfully authenticates with Okta but user's group membership retrieval 
fails.

Below are the LDAP Configs we are using:

 

[ldap]
# set this to ldaps://<your.ldap.server>:<port>
uri = ldaps://[subdomain].ldap.oktapreview.com
user_filter = objectClass=*
user_name_attr = uid
group_member_attr = memberOf
superuser_filter = 
memberOf=cn=Everyone,ou=groups,dc=[subdomain],dc=oktapreview,dc=com
data_profiler_filter =
bind_user = [username]
bind_password = [password]
basedn = ou=users,dc=[subdomain],dc=oktapreview,dc=com
cacert = [path/to/cert]
search_scope = LEVEL

 

Below are the error logs we are seeing in airflow:

 

Traceback (most recent call last): File 
"/usr/local/lib/python3.6/site-packages/flask/app.py", line 2317, in wsgi_app 
response = self.full_dispatch_request() File 
"/usr/local/lib/python3.6/site-packages/flask/app.py", line 1840, in 
full_dispatch_request rv = self.handle_user_exception(e) File 
"/usr/local/lib/python3.6/site-packages/flask/app.py", line 1743, in 
handle_user_exception reraise(exc_type, exc_value, tb) File 
"/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 36, in reraise 
raise value File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 
1838, in full_dispatch_request rv = self.dispatch_request() File 
"/usr/local/lib/python3.6/site-packages/flask/app.py", line 1824, in 
dispatch_request return self.view_functions[rule.endpoint](**req.view_args) 
File "/usr/local/lib/python3.6/site-packages/flask_admin/base.py", line 69, in 
inner return self._run_view(f, *args, **kwargs) File 
"/usr/local/lib/python3.6/site-packages/flask_admin/base.py", line 368, in 
_run_view return fn(self, *args, **kwargs) File 
"/usr/local/lib/python3.6/site-packages/airflow/www/views.py", line 731, in 
login return airflow.login.login(self, request) File 
"/usr/local/lib/python3.6/site-packages/airflow/utils/db.py", line 73, in 
wrapper return func(*args, **kwargs) File 
"/usr/local/lib/python3.6/site-packages/airflow/contrib/auth/backends/ldap_auth.py",
 line 322, in login flask_login.login_user(LdapUser(user)) File "<string>", 
line 4, in __init__ File 
"/usr/local/lib64/python3.6/site-packages/sqlalchemy/orm/state.py", line 428, 
in _initialize_instance manager.dispatch.init_failure(self, args, kwargs) File 
"/usr/local/lib64/python3.6/site-packages/sqlalchemy/util/langhelpers.py", line 
67, in __exit__ compat.reraise(exc_type, exc_value, exc_tb) File 
"/usr/local/lib64/python3.6/site-packages/sqlalchemy/util/compat.py", line 277, 
in reraise raise value File 
"/usr/local/lib64/python3.6/site-packages/sqlalchemy/orm/state.py", line 425, 
in _initialize_instance return manager.original_init(*mixed[1:], **kwargs) File 
"/usr/local/lib/python3.6/site-packages/airflow/contrib/auth/backends/ldap_auth.py",
 line 160, in __init__ user.username) File 
"/usr/local/lib/python3.6/site-packages/airflow/contrib/auth/backends/ldap_auth.py",
 line 91, in group_contains_user attributes=[native(user_name_attr)]): File 
"/usr/local/lib/python3.6/site-packages/ldap3/core/connection.py", line 785, in 
search check_names=self.check_names) File 
"/usr/local/lib/python3.6/site-packages/ldap3/operation/search.py", line 372, 
in search_operation request['filter'] = 
compile_filter(parse_filter(search_filter, schema, auto_escape, auto_encode, 
validator, check_names).elements[0]) # parse the searchFilter string and 
compile it starting from the root node File 
"/usr/local/lib/python3.6/site-packages/ldap3/operation/search.py", line 206, 
in parse_filter 
current_node.append(evaluate_match(search_filter[start_pos:end_pos], schema, 
auto_escape, auto_encode, validator, check_names)) File 
"/usr/local/lib/python3.6/site-packages/ldap3/operation/search.py", line 166, 
in evaluate_match assertion = \{'attr': left_part, 'value': 
validate_assertion_value(schema, left_part, right_part, auto_escape, 
auto_encode, validator, check_names)} File 
"/usr/local/lib/python3.6/site-packages/ldap3/protocol/convert.py", line 146, 
in validate_assertion_value value = validate_attribute_value(schema, name, 
value, auto_encode, validator=validator, check_names=check_names) File 
"/usr/local/lib/python3.6/site-packages/ldap3/protocol/convert.py", line 162, 
in validate_attribute_value raise LDAPAttributeError('invalid attribute ' + 
name) {color:#d04437}ldap3.core.exceptions.LDAPAttributeError: invalid 
attribute memberOf{color}

 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to