Repository: incubator-airflow Updated Branches: refs/heads/v1-9-test e021c9d0a -> 27068450a
[AIRFLOW-1743] Verify ldap filters correctly The superuser and data profiler filter where set by default in the config template and could not be unset. Closes #2712 from bolkedebruin/AIRFLOW-1743 (cherry picked from commit 16899a95b5cf08d1053892c532f4b494b2f7d0cc) Signed-off-by: Bolke de Bruin <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/27068450 Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/27068450 Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/27068450 Branch: refs/heads/v1-9-test Commit: 27068450ab8d191c98ab087fb1ed816af6be908a Parents: e021c9d Author: Bolke de Bruin <[email protected]> Authored: Sat Oct 21 14:21:54 2017 +0200 Committer: Bolke de Bruin <[email protected]> Committed: Sat Oct 21 14:22:11 2017 +0200 ---------------------------------------------------------------------- airflow/config_templates/default_airflow.cfg | 7 ++-- airflow/contrib/auth/backends/ldap_auth.py | 42 ++++++++++++++++------- 2 files changed, 34 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/27068450/airflow/config_templates/default_airflow.cfg ---------------------------------------------------------------------- diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index b051583..0fa06d0 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -359,12 +359,13 @@ max_threads = 2 authenticate = False [ldap] -uri = ldaps://<your.ldap.server>:<port> +# set this to ldaps://<your.ldap.server>:<port> +uri = user_filter = objectClass=* user_name_attr = uid group_member_attr = memberOf -superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com -data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com +superuser_filter = +data_profiler_filter = bind_user = cn=Manager,dc=example,dc=com bind_password = insecure basedn = dc=example,dc=com http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/27068450/airflow/contrib/auth/backends/ldap_auth.py ---------------------------------------------------------------------- diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py index b056851..df29de3 100644 --- a/airflow/contrib/auth/backends/ldap_auth.py +++ b/airflow/contrib/auth/backends/ldap_auth.py @@ -93,7 +93,8 @@ def groups_user(conn, search_base, user_filter, user_name_att, username): memberof_attr = configuration.get("ldap", "group_member_attr") except: memberof_attr = "memberOf" - res = conn.search(native(search_base), native(search_filter), attributes=[native(memberof_attr)]) + res = conn.search(native(search_base), native(search_filter), + attributes=[native(memberof_attr)]) if not res: log.info("Cannot find user %s", username) raise AuthenticationError("Invalid username or password") @@ -101,7 +102,8 @@ def groups_user(conn, search_base, user_filter, user_name_att, username): if conn.response and memberof_attr not in conn.response[0]["attributes"]: log.warning("""Missing attribute "%s" when looked-up in Ldap database. The user does not seem to be a member of a group and therefore won't see any dag - if the option filter_by_owner=True and owner_mode=ldapgroup are set""", memberof_attr) + if the option filter_by_owner=True and owner_mode=ldapgroup are set""", + memberof_attr) return [] user_groups = conn.response[0]["attributes"][memberof_attr] @@ -126,25 +128,41 @@ class LdapUser(models.User): # Load and cache superuser and data_profiler settings. conn = get_ldap_connection(configuration.get("ldap", "bind_user"), configuration.get("ldap", "bind_password")) + + superuser_filter = None + data_profiler_filter = None try: + superuser_filter = configuration.get("ldap", "superuser_filter") + except AirflowConfigException: + pass + + if not superuser_filter: + self.superuser = True + log.debug("Missing configuration for superuser settings or empty. Skipping.") + else: self.superuser = group_contains_user(conn, configuration.get("ldap", "basedn"), - configuration.get("ldap", "superuser_filter"), - configuration.get("ldap", "user_name_attr"), + superuser_filter, + configuration.get("ldap", + "user_name_attr"), user.username) - except AirflowConfigException: - self.superuser = True - log.debug("Missing configuration for superuser settings. Skipping.") try: + data_profiler_filter = configuration.get("ldap", "data_profiler_filter") + except AirflowConfigException: + pass + + if not data_profiler_filter: + self.data_profiler = True + log.debug("Missing configuration for data profiler settings or empty. " + "Skipping.") + else: self.data_profiler = group_contains_user(conn, configuration.get("ldap", "basedn"), - configuration.get("ldap", "data_profiler_filter"), - configuration.get("ldap", "user_name_attr"), + data_profiler_filter, + configuration.get("ldap", + "user_name_attr"), user.username) - except AirflowConfigException: - self.data_profiler = True - log.debug("Missing configuration for dataprofiler settings. Skipping") # Load the ldap group(s) a user belongs to try:
