Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6E783200B5B for ; Fri, 22 Jul 2016 03:48:27 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6D31F160A7C; Fri, 22 Jul 2016 01:48:27 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8D10D160A73 for ; Fri, 22 Jul 2016 03:48:26 +0200 (CEST) Received: (qmail 76666 invoked by uid 500); 22 Jul 2016 01:48:25 -0000 Mailing-List: contact commits-help@airflow.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@airflow.incubator.apache.org Delivered-To: mailing list commits@airflow.incubator.apache.org Received: (qmail 76657 invoked by uid 99); 22 Jul 2016 01:48:25 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Jul 2016 01:48:25 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5A653C040A for ; Fri, 22 Jul 2016 01:48:25 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -5.446 X-Spam-Level: X-Spam-Status: No, score=-5.446 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426] autolearn=disabled Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id hU4Rjfr3aBEA for ; Fri, 22 Jul 2016 01:48:23 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with SMTP id 5B7D060CC4 for ; Fri, 22 Jul 2016 01:48:22 +0000 (UTC) Received: (qmail 76436 invoked by uid 99); 22 Jul 2016 01:48:21 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Jul 2016 01:48:21 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D37EE2C0E4E for ; Fri, 22 Jul 2016 01:48:20 +0000 (UTC) Date: Fri, 22 Jul 2016 01:48:20 +0000 (UTC) From: "peter pang (JIRA)" To: commits@airflow.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AIRFLOW-352) filter_by_owner is not working when use ldap authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 22 Jul 2016 01:48:27 -0000 [ https://issues.apache.org/jira/browse/AIRFLOW-352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] peter pang updated AIRFLOW-352: ------------------------------- Description: I set airflow.cfg as follows: {noformat} [webserver] filter_by_owner = True authenticate = TRUE auth_backend = airflow.contrib.auth.backends.ldap_auth [ldap] uri = ldap://xx.xx.xx.xx user_filter = objectClass=* user_name_attr = uid superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com bind_user = cn=admin,dc=example,dc=com bind_password = secret basedn = dc=example,dc=com cacert = /etc/ca/ldap_ca.crt search_scope=SUBTREE {noformat} then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the filter_by_owner setting is not working. Debug into the views.py --> class HomeView(AdminIndexView): {color:red}current_user.username{color} always get{color:red} "None"{color}. It seems we can't get username directly. so , continue debug into the ldap_auth.py --> class LdapUser(models.User): I added a method to return username {code} def get_username(self): return self.user.username {code} then back to view.py , replace 'current_user.username' to {color:red}'current_user.get_username()'{color} , the user filter can work now! I don't know exactly why, but the modification can work... was: I set airflow.cfg as follows: [webserver] filter_by_owner = True authenticate = TRUE auth_backend = airflow.contrib.auth.backends.ldap_auth [ldap] uri = ldap://xx.xx.xx.xx user_filter = objectClass=* user_name_attr = uid superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com bind_user = cn=admin,dc=example,dc=com bind_password = secret basedn = dc=example,dc=com cacert = /etc/ca/ldap_ca.crt search_scope=SUBTREE then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the filter_by_owner setting is not working. Debug into the views.py --> class HomeView(AdminIndexView): current_user.username always return "None". It seems we can't get username directly. so , continue debug into the ldap_auth.py --> class LdapUser(models.User): I added a method to return username def get_username(self): return self.user.username then back to view.py , replace 'current_user.username' to 'current_user.get_username()' , the user filter can work now! I don't know exactly why, but the modification can work... > filter_by_owner is not working when use ldap authentication > ----------------------------------------------------------- > > Key: AIRFLOW-352 > URL: https://issues.apache.org/jira/browse/AIRFLOW-352 > Project: Apache Airflow > Issue Type: Bug > Components: contrib, security, webserver > Affects Versions: Airflow 1.7.1.3 > Environment: ubuntu 14.04 LTS , ldap without encryption > Reporter: peter pang > Labels: security > > I set airflow.cfg as follows: > {noformat} > [webserver] > filter_by_owner = True > authenticate = TRUE > auth_backend = airflow.contrib.auth.backends.ldap_auth > [ldap] > uri = ldap://xx.xx.xx.xx > user_filter = objectClass=* > user_name_attr = uid > superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com > data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com > bind_user = cn=admin,dc=example,dc=com > bind_password = secret > basedn = dc=example,dc=com > cacert = /etc/ca/ldap_ca.crt > search_scope=SUBTREE > {noformat} > then I run the webUI , and I can login with superuser and data_profiler user. But after login with data profiler user, entered the data profiler user home view , there's no dags listed with the same dag owner. It seems the filter_by_owner setting is not working. > Debug into the views.py --> class HomeView(AdminIndexView): > {color:red}current_user.username{color} always get{color:red} "None"{color}. It seems we can't get username directly. > so , continue debug into the ldap_auth.py --> class LdapUser(models.User): > I added a method to return username > {code} > def get_username(self): > return self.user.username > {code} > then back to view.py , replace 'current_user.username' to {color:red}'current_user.get_username()'{color} , the user filter can work now! > I don't know exactly why, but the modification can work... -- This message was sent by Atlassian JIRA (v6.3.4#6332)