[jira] [Commented] (AIRFLOW-3164) verify certificate of LDAP server

ASF GitHub Bot (JIRA) Fri, 09 Nov 2018 05:59:09 -0800


    [ 
https://issues.apache.org/jira/browse/AIRFLOW-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16681464#comment-16681464
 ]


ASF GitHub Bot commented on AIRFLOW-3164:
-----------------------------------------

kaxil closed pull request #4006: [AIRFLOW-3164] Verify server certificate when 
connecting to LDAP
URL: https://github.com/apache/incubator-airflow/pull/4006
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/UPDATING.md b/UPDATING.md
index 541a394949..f4ac98bc83 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -87,6 +87,17 @@ configuration, so creating EMR clusters might fail until 
your connection is upda
 Ec2SubnetId, TerminationProtection and KeepJobFlowAliveWhenNoSteps were all 
top-level keys when they
 should be inside the "Instances" dict)
 
+### LDAP Auth Backend now requires TLS
+
+Connecting to an LDAP serever over plain text is not supported anymore. The
+certificate presented by the LDAP server must be signed by a trusted
+certificiate, or you must provide the `cacert` option under `[ldap]` in the
+config file.
+
+If you want to use LDAP auth backend without TLS then you will habe to create a
+custom-auth backend based on
+https://github.com/apache/incubator-airflow/blob/1.10.0/airflow/contrib/auth/backends/ldap_auth.py
+
 ## Airflow 1.10
 
 Installation and upgrading requires setting `SLUGIFY_USES_TEXT_UNIDECODE=yes` 
in your environment or
diff --git a/airflow/contrib/auth/backends/ldap_auth.py 
b/airflow/contrib/auth/backends/ldap_auth.py
index fefc389e48..587fc2be16 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -55,16 +55,18 @@ class LdapException(Exception):
 
 
 def get_ldap_connection(dn=None, password=None):
-    tls_configuration = None
-    use_ssl = False
     try:
         cacert = configuration.conf.get("ldap", "cacert")
-        tls_configuration = Tls(validate=ssl.CERT_REQUIRED, 
ca_certs_file=cacert)
-        use_ssl = True
-    except Exception:
+    except AirflowConfigException:
         pass
 
-    server = Server(configuration.conf.get("ldap", "uri"), use_ssl, 
tls_configuration)
+    tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
+                            ca_certs_file=cacert)
+
+    server = Server(configuration.conf.get("ldap", "uri"),
+                    use_ssl=True,
+                    tls=tls_configuration)
+
     conn = Connection(server, native(dn), native(password))
 
     if not conn.bind():
diff --git a/docs/security.rst b/docs/security.rst
index c14cd1c2c3..6502bb832c 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -66,8 +66,7 @@ LDAP
 ''''
 
 To turn on LDAP authentication configure your ``airflow.cfg`` as follows. 
Please note that the example uses
-an encrypted connection to the ldap server as you probably do not want 
passwords be readable on the network level.
-It is however possible to configure without encryption if you really want to.
+an encrypted connection to the ldap server as we do not want passwords be 
readable on the network level.
 
 Additionally, if you are using Active Directory, and are not explicitly 
specifying an OU that your users are in,
 you will need to change ``search_scope`` to "SUBTREE".
diff --git a/setup.py b/setup.py
index d093d4971f..172b2aac70 100644
--- a/setup.py
+++ b/setup.py
@@ -206,7 +206,7 @@ def write_version(filename=os.path.join(*['airflow',
             'snakebite[kerberos]>=2.7.8']
 kubernetes = ['kubernetes>=3.0.0',
               'cryptography>=2.0.0']
-ldap = ['ldap3>=0.9.9.1']
+ldap = ['ldap3>=2.5.1']
 mssql = ['pymssql>=2.1.1']
 mysql = ['mysqlclient>=1.3.6']
 oracle = ['cx_Oracle>=5.1.2']


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> verify certificate of LDAP server
> ---------------------------------
>
>                 Key: AIRFLOW-3164
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3164
>             Project: Apache Airflow
>          Issue Type: Bug
>            Reporter: Bolke de Bruin
>            Priority: Blocker
>             Fix For: 1.10.1
>
>
> Currently we dont verify the certificate of the Ldap server this can lead to 
> security incidents.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AIRFLOW-3164) verify certificate of LDAP server

Reply via email to