Repository: incubator-airflow Updated Branches: refs/heads/master 177d34157 -> 6b1c327ee
[AIRFLOW-1095] Make ldap_auth memberOf come from configuration If the key ldap/group_member_attr is set in the airflow.cfg, this value is used to lookup groups for the user. Closes #2232 from vfoucault/fixbug/ldap_auth Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/6b1c327e Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/6b1c327e Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/6b1c327e Branch: refs/heads/master Commit: 6b1c327ee886488eedbe8a8721708b89f37d5560 Parents: 177d341 Author: Vianney Foucault <[email protected]> Authored: Mon Apr 10 11:08:04 2017 -0700 Committer: Chris Riccomini <[email protected]> Committed: Mon Apr 10 11:08:16 2017 -0700 ---------------------------------------------------------------------- airflow/config_templates/default_airflow.cfg | 12 ++++++++++++ airflow/contrib/auth/backends/ldap_auth.py | 14 +++++++++----- docs/security.rst | 10 ++++++++-- 3 files changed, 29 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6b1c327e/airflow/config_templates/default_airflow.cfg ---------------------------------------------------------------------- diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index b28256a..2b5fb5d 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -332,6 +332,18 @@ max_threads = 2 authenticate = False +[ldap] +uri = ldaps://<your.ldap.server>:<port> +user_filter = objectClass=* +user_name_attr = uid +group_member_attr = memberOf +superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com +data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com +bind_user = cn=Manager,dc=example,dc=com +bind_password = insecure +basedn = dc=example,dc=com +cacert = /etc/ca/ldap_ca.crt +search_scope = LEVEL [mesos] # Mesos master address which MesosExecutor will connect to. http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6b1c327e/airflow/contrib/auth/backends/ldap_auth.py ---------------------------------------------------------------------- diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py index 0e066e2..341f710 100644 --- a/airflow/contrib/auth/backends/ldap_auth.py +++ b/airflow/contrib/auth/backends/ldap_auth.py @@ -89,18 +89,22 @@ def group_contains_user(conn, search_base, group_filter, user_name_attr, usernam def groups_user(conn, search_base, user_filter, user_name_att, username): search_filter = "(&({0})({1}={2}))".format(user_filter, user_name_att, username) - res = conn.search(native(search_base), native(search_filter), attributes=[native("memberOf")]) + try: + memberof_attr = configuration.get("ldap", "group_member_attr") + except: + memberof_attr = "memberOf" + res = conn.search(native(search_base), native(search_filter), attributes=[native(memberof_attr)]) if not res: LOG.info("Cannot find user %s", username) raise AuthenticationError("Invalid username or password") - if conn.response and "memberOf" not in conn.response[0]["attributes"]: - LOG.warning("""Missing attribute "memberOf" when looked-up in Ldap database. + if conn.response and memberof_attr not in conn.response[0]["attributes"]: + LOG.warning("""Missing attribute "%s" when looked-up in Ldap database. The user does not seem to be a member of a group and therefore won't see any dag - if the option filter_by_owner=True and owner_mode=ldapgroup are set""") + if the option filter_by_owner=True and owner_mode=ldapgroup are set""", memberof_attr) return [] - user_groups = conn.response[0]["attributes"]["memberOf"] + user_groups = conn.response[0]["attributes"][memberof_attr] regex = re.compile("cn=([^,]*).*", re.IGNORECASE) groups_list = [] http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6b1c327e/docs/security.rst ---------------------------------------------------------------------- diff --git a/docs/security.rst b/docs/security.rst index c0e2918..ada34a2 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -72,6 +72,11 @@ Valid search_scope options can be found in the `ldap3 Documentation <http://ldap user_filter = objectClass=* # in case of Active Directory you would use: user_name_attr = sAMAccountName user_name_attr = uid + # group_member_attr should be set accordingly with *_filter + # eg : + # group_member_attr = groupMembership + # superuser_filter = groupMembership=CN=airflow-super-users... + group_member_attr = memberOf superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com bind_user = cn=Manager,dc=example,dc=com @@ -101,7 +106,7 @@ Multi-tenancy ------------- You can filter the list of dags in webserver by owner name when authentication -is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will see +is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will see only the dags which it is owner of, unless it is a superuser. .. code-block:: bash @@ -287,6 +292,7 @@ backend. In order to setup an application: 1. Navigate to https://console.developers.google.com/apis/ 2. Select 'Credentials' from the left hand nav +2. Select 'Credentials' from the left hand nav 3. Click 'Create credentials' and choose 'OAuth client ID' 4. Choose 'Web application' 5. Fill in the required information (the 'Authorized redirect URIs' must be fully qualifed e.g. http://airflow.example.com/oauth2callback) @@ -338,7 +344,7 @@ log to will have permissions changed such that only the unix user can write to i Default Impersonation ''''''''''''''''''''' To prevent tasks that don't use impersonation to be run with `sudo` privileges, you can set the -``core:default_impersonation`` config which sets a default user impersonate if `run_as_user` is +``core:default_impersonation`` config which sets a default user impersonate if `run_as_user` is not set. .. code-block:: bash
