airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From criccom...@apache.org
Subject incubator-airflow git commit: [AIRFLOW-1095] Make ldap_auth memberOf come from configuration
Date Mon, 10 Apr 2017 18:09:17 GMT
Repository: incubator-airflow
Updated Branches:
  refs/heads/master 177d34157 -> 6b1c327ee


[AIRFLOW-1095] Make ldap_auth memberOf come from configuration

If the key ldap/group_member_attr is set in the
airflow.cfg, this value is used to lookup groups
for the user.

Closes #2232 from vfoucault/fixbug/ldap_auth


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/6b1c327e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/6b1c327e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/6b1c327e

Branch: refs/heads/master
Commit: 6b1c327ee886488eedbe8a8721708b89f37d5560
Parents: 177d341
Author: Vianney Foucault <vianney.foucault@gmail.com>
Authored: Mon Apr 10 11:08:04 2017 -0700
Committer: Chris Riccomini <criccomini@apache.org>
Committed: Mon Apr 10 11:08:16 2017 -0700

----------------------------------------------------------------------
 airflow/config_templates/default_airflow.cfg | 12 ++++++++++++
 airflow/contrib/auth/backends/ldap_auth.py   | 14 +++++++++-----
 docs/security.rst                            | 10 ++++++++--
 3 files changed, 29 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6b1c327e/airflow/config_templates/default_airflow.cfg
----------------------------------------------------------------------
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index b28256a..2b5fb5d 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -332,6 +332,18 @@ max_threads = 2
 
 authenticate = False
 
+[ldap]
+uri = ldaps://<your.ldap.server>:<port>
+user_filter = objectClass=*
+user_name_attr = uid
+group_member_attr = memberOf
+superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+bind_user = cn=Manager,dc=example,dc=com
+bind_password = insecure
+basedn = dc=example,dc=com
+cacert = /etc/ca/ldap_ca.crt
+search_scope = LEVEL
 
 [mesos]
 # Mesos master address which MesosExecutor will connect to.

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6b1c327e/airflow/contrib/auth/backends/ldap_auth.py
----------------------------------------------------------------------
diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
index 0e066e2..341f710 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -89,18 +89,22 @@ def group_contains_user(conn, search_base, group_filter, user_name_attr,
usernam
 
 def groups_user(conn, search_base, user_filter, user_name_att, username):
     search_filter = "(&({0})({1}={2}))".format(user_filter, user_name_att, username)
-    res = conn.search(native(search_base), native(search_filter), attributes=[native("memberOf")])
+    try:
+        memberof_attr = configuration.get("ldap", "group_member_attr")
+    except:
+        memberof_attr = "memberOf"
+    res = conn.search(native(search_base), native(search_filter), attributes=[native(memberof_attr)])
     if not res:
         LOG.info("Cannot find user %s", username)
         raise AuthenticationError("Invalid username or password")
 
-    if conn.response and "memberOf" not in conn.response[0]["attributes"]:
-        LOG.warning("""Missing attribute "memberOf" when looked-up in Ldap database.
+    if conn.response and memberof_attr not in conn.response[0]["attributes"]:
+        LOG.warning("""Missing attribute "%s" when looked-up in Ldap database.
         The user does not seem to be a member of a group and therefore won't see any dag
-        if the option filter_by_owner=True and owner_mode=ldapgroup are set""")
+        if the option filter_by_owner=True and owner_mode=ldapgroup are set""", memberof_attr)
         return []
 
-    user_groups = conn.response[0]["attributes"]["memberOf"]
+    user_groups = conn.response[0]["attributes"][memberof_attr]
 
     regex = re.compile("cn=([^,]*).*", re.IGNORECASE)
     groups_list = []

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6b1c327e/docs/security.rst
----------------------------------------------------------------------
diff --git a/docs/security.rst b/docs/security.rst
index c0e2918..ada34a2 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -72,6 +72,11 @@ Valid search_scope options can be found in the `ldap3 Documentation <http://ldap
     user_filter = objectClass=*
     # in case of Active Directory you would use: user_name_attr = sAMAccountName
     user_name_attr = uid
+    # group_member_attr should be set accordingly with *_filter
+    # eg :
+    #     group_member_attr = groupMembership
+    #     superuser_filter = groupMembership=CN=airflow-super-users...
+    group_member_attr = memberOf
     superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
     data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
     bind_user = cn=Manager,dc=example,dc=com
@@ -101,7 +106,7 @@ Multi-tenancy
 -------------
 
 You can filter the list of dags in webserver by owner name when authentication
-is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will
see 
+is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will
see
 only the dags which it is owner of, unless it is a superuser.
 
 .. code-block:: bash
@@ -287,6 +292,7 @@ backend. In order to setup an application:
 
 1. Navigate to https://console.developers.google.com/apis/
 2. Select 'Credentials' from the left hand nav
+2. Select 'Credentials' from the left hand nav
 3. Click 'Create credentials' and choose 'OAuth client ID'
 4. Choose 'Web application'
 5. Fill in the required information (the 'Authorized redirect URIs' must be fully qualifed
e.g. http://airflow.example.com/oauth2callback)
@@ -338,7 +344,7 @@ log to will have permissions changed such that only the unix user can
write to i
 Default Impersonation
 '''''''''''''''''''''
 To prevent tasks that don't use impersonation to be run with `sudo` privileges, you can set
the
-``core:default_impersonation`` config which sets a default user impersonate if `run_as_user`
is 
+``core:default_impersonation`` config which sets a default user impersonate if `run_as_user`
is
 not set.
 
 .. code-block:: bash


Mime
View raw message