Yi Wei created AIRFLOW-3020:
-------------------------------
Summary: LDAP Authentication doesn't check whether a user belongs
to a group correctly
Key: AIRFLOW-3020
URL: https://issues.apache.org/jira/browse/AIRFLOW-3020
Project: Apache Airflow
Issue Type: Bug
Components: authentication
Affects Versions: 1.10.0, 1.9.0
Reporter: Yi Wei
Assignee: Yi Wei
According to Airflow documentation at
[https://airflow.apache.org/security.html#ldap,] to enable LDAP authentication,
we should write airflow.cfg like this:
[ldap]
uri = ldap://XXX.YYY.org
user_filter = objectClass=*
user_name_attr = sAMAccountName
superuser_filter = CN=XXX_Programmers
bind_user = user_on_ldap
bind_password = insecure
basedn =OU=Some,DC=other,DC=org
search_scope = SUBTREE
But after enabling LDAP authentication, I just cannot log in with a superuser
role. I double-checked my membership to the superuser groups and confirmed I
belong to the specified group in 'superuser_filter', still Airflow won't
recognize me as a superuser.
So, I checked airflow/contrib/auth/backends/ldap_auth.py, the
group_contains_user function doesn't work as I expected:
This line:
conn.search(native(search_base), native(search_filter),
attributes=[native(user_name_attr)])
it search the group and extracts the sAMAccountName attribute of the group,
then:
for entry in conn.entries:
if user_name in getattr(entry, user_name_attr).values:
return True
the code snippet will never return True, because how can user_name occur in
group_name anyway?
Not sure if this issue only occurs in my company, please correct me if you have
any suggestion.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
