airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erich Hochmuth (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AIRFLOW-1578) LDAP group search filter shouldn't execute if owner_mode is user
Date Fri, 08 Sep 2017 05:15:00 GMT
Erich Hochmuth created AIRFLOW-1578:
---------------------------------------

             Summary: LDAP group search filter shouldn't execute if owner_mode is user
                 Key: AIRFLOW-1578
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1578
             Project: Apache Airflow
          Issue Type: Bug
          Components: security
    Affects Versions: Airflow 1.8
            Reporter: Erich Hochmuth
            Priority: Minor


The LDAP query to pull user groups shouldn't execute if the owner mode is user.
What makes this worse is at the moment LDAP group search filter is also confined to the same
query string used to check the user except that its looking for the memberOf attribute. Some
organizations may put user group relationships in a completely different dn.

At a minimum make the group filter check optional if owner mode is "user"

In ldap_auth.py
https://github.com/apache/incubator-airflow/blob/master/airflow/contrib/auth/backends/ldap_auth.py

def groups_user(conn, search_base, user_filter, user_name_att, username):
    if configuration.get("core", "owner_mode") == "user":
        return []



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message