airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject incubator-airflow git commit: [AIRFLOW-500] Use id for github allowed teams
Date Sat, 08 Oct 2016 21:30:50 GMT
Repository: incubator-airflow
Updated Branches:
  refs/heads/master bae8bc739 -> a66cf75e2


[AIRFLOW-500] Use id for github allowed teams

The team string is not unique across an organization
and therefore we should use the long id instead.

Closes #1788 from mylons/master


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/a66cf75e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/a66cf75e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/a66cf75e

Branch: refs/heads/master
Commit: a66cf75e239bf7ef9c6ffc49f20bf6810a7e76b6
Parents: bae8bc7
Author: Mike Lyons <mrlyons@gmail.com>
Authored: Sat Oct 8 23:27:12 2016 +0200
Committer: Bolke de Bruin <bolke@xs4all.nl>
Committed: Sat Oct 8 23:27:27 2016 +0200

----------------------------------------------------------------------
 .../auth/backends/github_enterprise_auth.py     | 24 ++++++++++++++------
 docs/security.rst                               |  2 +-
 2 files changed, 18 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/a66cf75e/airflow/contrib/auth/backends/github_enterprise_auth.py
----------------------------------------------------------------------
diff --git a/airflow/contrib/auth/backends/github_enterprise_auth.py b/airflow/contrib/auth/backends/github_enterprise_auth.py
index f9d6426..91126c7 100644
--- a/airflow/contrib/auth/backends/github_enterprise_auth.py
+++ b/airflow/contrib/auth/backends/github_enterprise_auth.py
@@ -138,13 +138,21 @@ class GHEAuthBackend(object):
 
     def ghe_team_check(self, username, ghe_token):
         try:
-            teams = [team.strip()
-                     for team in
-                     get_config_param('allowed_teams').split(',')]
+            # the response from ghe returns the id of the team as an integer
+            try:
+                allowed_teams = [int(team.strip())
+                                 for team in
+                                 get_config_param('allowed_teams').split(',')]
+            except ValueError:
+                # this is to deprecate using the string name for a team
+                raise ValueError('it appears that you are using the string name for a team,
'
+                                 'please use the id number instead')
+
         except AirflowConfigException:
             # No allowed teams defined, let anyone in GHE in.
             return True
 
+        # https://developer.github.com/v3/orgs/teams/#list-user-teams
         resp = self.ghe_oauth.get(self.ghe_api_route('/user/teams'),
                                   token=(ghe_token, ''))
 
@@ -154,14 +162,16 @@ class GHEAuthBackend(object):
                     resp.status if resp else 'None'))
 
         for team in resp.data:
-            # team json object has a slug cased team name field aptly named
-            # 'slug'
-            if team['slug'] in teams:
+            # mylons: previously this line used to be if team['slug'] in teams
+            # however, teams are part of organizations. organizations are unique,
+            # but teams are not therefore 'slug' for a team is not necessarily unique.
+            # use id instead
+            if team['id'] in allowed_teams:
                 return True
 
         _log.debug('Denying access for user "%s", not a member of "%s"',
                    username,
-                   str(teams))
+                   str(allowed_teams))
 
         return False
 

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/a66cf75e/docs/security.rst
----------------------------------------------------------------------
diff --git a/docs/security.rst b/docs/security.rst
index 872102f..29f228d 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -240,7 +240,7 @@ your GHE installation will be able to login to Airflow.
     client_id = oauth_key_from_github_enterprise
     client_secret = oauth_secret_from_github_enterprise
     oauth_callback_route = /example/ghe_oauth/callback
-    allowed_teams = example_team_1, example_team_2
+    allowed_teams = 1, 345, 23
 
 Setting up GHE Authentication
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


Mime
View raw message