airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] zeninpalm closed pull request #3859: [AIRFLOW-3020]LDAP Authentication doesn't check whether a user belongs to a group correctly
Date Wed, 12 Sep 2018 06:20:42 GMT
zeninpalm closed pull request #3859: [AIRFLOW-3020]LDAP Authentication doesn't check whether
a user belongs to a group correctly
URL: https://github.com/apache/incubator-airflow/pull/3859
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
index a949e89a77..a3bd0aaea0 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -74,7 +74,8 @@ def get_ldap_connection(dn=None, password=None):
     return conn
 
 
-def group_contains_user(conn, search_base, group_filter, user_name_attr, username):
+def user_groups_contain_target_group(conn, search_base, group_filter, user_name_attr,
+                                     group_names_of_user):
     search_filter = '(&({0}))'.format(group_filter)
 
     if not conn.search(native(search_base), native(search_filter),
@@ -82,9 +83,10 @@ def group_contains_user(conn, search_base, group_filter, user_name_attr,
usernam
         log.warning("Unable to find group for %s %s", search_base, search_filter)
     else:
         for entry in conn.entries:
-            if username.lower() in map(lambda attr: attr.lower(),
+            for name in group_names_of_user:
+                if name.lower() in map(lambda attr: attr.lower(),
                                        getattr(entry, user_name_attr).values):
-                return True
+                    return True
 
     return False
 
@@ -138,16 +140,30 @@ def __init__(self, user):
         except AirflowConfigException:
             pass
 
+        # Load the ldap group(s) a user belongs to
+        try:
+            self.ldap_groups = groups_user(
+                conn,
+                configuration.conf.get("ldap", "basedn"),
+                configuration.conf.get("ldap", "user_filter"),
+                configuration.conf.get("ldap", "user_name_attr"),
+                user.username
+            )
+        except AirflowConfigException:
+            log.debug("Missing configuration for ldap settings. Skipping")
+            self.ldap_groups = []
+
         if not superuser_filter:
             self.superuser = True
             log.debug("Missing configuration for superuser settings or empty. Skipping.")
         else:
-            self.superuser = group_contains_user(conn,
-                                                 configuration.conf.get("ldap", "basedn"),
-                                                 superuser_filter,
-                                                 configuration.conf.get("ldap",
-                                                                        "user_name_attr"),
-                                                 user.username)
+            self.superuser = user_groups_contain_target_group(
+                conn,
+                configuration.conf.get("ldap", "basedn"),
+                superuser_filter,
+                configuration.conf.get("ldap",
+                                       "user_name_attr"),
+                self.ldap_groups)
 
         try:
             data_profiler_filter = configuration.conf.get("ldap", "data_profiler_filter")
@@ -159,26 +175,16 @@ def __init__(self, user):
             log.debug("Missing configuration for data profiler settings or empty. "
                       "Skipping.")
         else:
-            self.data_profiler = group_contains_user(
+            self.data_profiler = user_groups_contain_target_group(
                 conn,
                 configuration.conf.get("ldap", "basedn"),
                 data_profiler_filter,
                 configuration.conf.get("ldap",
                                        "user_name_attr"),
-                user.username
+                self.ldap_groups
             )
 
-        # Load the ldap group(s) a user belongs to
-        try:
-            self.ldap_groups = groups_user(
-                conn,
-                configuration.conf.get("ldap", "basedn"),
-                configuration.conf.get("ldap", "user_filter"),
-                configuration.conf.get("ldap", "user_name_attr"),
-                user.username
-            )
-        except AirflowConfigException:
-            log.debug("Missing configuration for ldap settings. Skipping")
+
 
     @staticmethod
     def try_login(username, password):


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message