kaxil closed pull request #4006: [AIRFLOW-3164] Verify server certificate when connecting to LDAP URL: https://github.com/apache/incubator-airflow/pull/4006
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/UPDATING.md b/UPDATING.md index 541a394949..f4ac98bc83 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -87,6 +87,17 @@ configuration, so creating EMR clusters might fail until your connection is upda Ec2SubnetId, TerminationProtection and KeepJobFlowAliveWhenNoSteps were all top-level keys when they should be inside the "Instances" dict) +### LDAP Auth Backend now requires TLS + +Connecting to an LDAP serever over plain text is not supported anymore. The +certificate presented by the LDAP server must be signed by a trusted +certificiate, or you must provide the `cacert` option under `[ldap]` in the +config file. + +If you want to use LDAP auth backend without TLS then you will habe to create a +custom-auth backend based on +https://github.com/apache/incubator-airflow/blob/1.10.0/airflow/contrib/auth/backends/ldap_auth.py + ## Airflow 1.10 Installation and upgrading requires setting `SLUGIFY_USES_TEXT_UNIDECODE=yes` in your environment or diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py index fefc389e48..587fc2be16 100644 --- a/airflow/contrib/auth/backends/ldap_auth.py +++ b/airflow/contrib/auth/backends/ldap_auth.py @@ -55,16 +55,18 @@ class LdapException(Exception): def get_ldap_connection(dn=None, password=None): - tls_configuration = None - use_ssl = False try: cacert = configuration.conf.get("ldap", "cacert") - tls_configuration = Tls(validate=ssl.CERT_REQUIRED, ca_certs_file=cacert) - use_ssl = True - except Exception: + except AirflowConfigException: pass - server = Server(configuration.conf.get("ldap", "uri"), use_ssl, tls_configuration) + tls_configuration = Tls(validate=ssl.CERT_REQUIRED, + ca_certs_file=cacert) + + server = Server(configuration.conf.get("ldap", "uri"), + use_ssl=True, + tls=tls_configuration) + conn = Connection(server, native(dn), native(password)) if not conn.bind(): diff --git a/docs/security.rst b/docs/security.rst index c14cd1c2c3..6502bb832c 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -66,8 +66,7 @@ LDAP '''' To turn on LDAP authentication configure your ``airflow.cfg`` as follows. Please note that the example uses -an encrypted connection to the ldap server as you probably do not want passwords be readable on the network level. -It is however possible to configure without encryption if you really want to. +an encrypted connection to the ldap server as we do not want passwords be readable on the network level. Additionally, if you are using Active Directory, and are not explicitly specifying an OU that your users are in, you will need to change ``search_scope`` to "SUBTREE". diff --git a/setup.py b/setup.py index d093d4971f..172b2aac70 100644 --- a/setup.py +++ b/setup.py @@ -206,7 +206,7 @@ def write_version(filename=os.path.join(*['airflow', 'snakebite[kerberos]>=2.7.8'] kubernetes = ['kubernetes>=3.0.0', 'cryptography>=2.0.0'] -ldap = ['ldap3>=0.9.9.1'] +ldap = ['ldap3>=2.5.1'] mssql = ['pymssql>=2.1.1'] mysql = ['mysqlclient>=1.3.6'] oracle = ['cx_Oracle>=5.1.2'] ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
