[AIRFLOW-1095] Make ldap_auth memberOf come from configuration

If the key ldap/group_member_attr is set in the airflow.cfg, this value is used to lookup groups for the user. Closes apache#2232 from vfoucault/fixbug/ldap_auth
dmartin11 · Apr 10, 2017 · 6b1c327 · 6b1c327
1 parent 177d341
commit 6b1c327
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 7 deletions.
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
@@ -332,6 +332,18 @@ max_threads = 2
 
 authenticate = False
 
+[ldap]
+uri = ldaps://<your.ldap.server>:<port>
+user_filter = objectClass=*
+user_name_attr = uid
+group_member_attr = memberOf
+superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+bind_user = cn=Manager,dc=example,dc=com
+bind_password = insecure
+basedn = dc=example,dc=com
+cacert = /etc/ca/ldap_ca.crt
+search_scope = LEVEL
 
 [mesos]
 # Mesos master address which MesosExecutor will connect to.

diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
@@ -89,18 +89,22 @@ def group_contains_user(conn, search_base, group_filter, user_name_attr, usernam
 
 def groups_user(conn, search_base, user_filter, user_name_att, username):
     search_filter = "(&({0})({1}={2}))".format(user_filter, user_name_att, username)
-    res = conn.search(native(search_base), native(search_filter), attributes=[native("memberOf")])
+    try:
+        memberof_attr = configuration.get("ldap", "group_member_attr")
+    except:
+        memberof_attr = "memberOf"
+    res = conn.search(native(search_base), native(search_filter), attributes=[native(memberof_attr)])
     if not res:
         LOG.info("Cannot find user %s", username)
         raise AuthenticationError("Invalid username or password")
 
-    if conn.response and "memberOf" not in conn.response[0]["attributes"]:
-        LOG.warning("""Missing attribute "memberOf" when looked-up in Ldap database.
+    if conn.response and memberof_attr not in conn.response[0]["attributes"]:
+        LOG.warning("""Missing attribute "%s" when looked-up in Ldap database.
         The user does not seem to be a member of a group and therefore won't see any dag
-        if the option filter_by_owner=True and owner_mode=ldapgroup are set""")
+        if the option filter_by_owner=True and owner_mode=ldapgroup are set""", memberof_attr)
         return []
 
-    user_groups = conn.response[0]["attributes"]["memberOf"]
+    user_groups = conn.response[0]["attributes"][memberof_attr]
 
     regex = re.compile("cn=([^,]*).*", re.IGNORECASE)
     groups_list = []

diff --git a/docs/security.rst b/docs/security.rst
@@ -72,6 +72,11 @@ Valid search_scope options can be found in the `ldap3 Documentation <http://ldap
     user_filter = objectClass=*
     # in case of Active Directory you would use: user_name_attr = sAMAccountName
     user_name_attr = uid
+    # group_member_attr should be set accordingly with *_filter
+    # eg :
+    #     group_member_attr = groupMembership
+    #     superuser_filter = groupMembership=CN=airflow-super-users...
+    group_member_attr = memberOf
     superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
     data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
     bind_user = cn=Manager,dc=example,dc=com
@@ -101,7 +106,7 @@ Multi-tenancy
 -------------
 
 You can filter the list of dags in webserver by owner name when authentication
-is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will see 
+is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will see
 only the dags which it is owner of, unless it is a superuser.
 
 .. code-block:: bash
@@ -287,6 +292,7 @@ backend. In order to setup an application:
 
 1. Navigate to https://console.developers.google.com/apis/
 2. Select 'Credentials' from the left hand nav
+2. Select 'Credentials' from the left hand nav
 3. Click 'Create credentials' and choose 'OAuth client ID'
 4. Choose 'Web application'
 5. Fill in the required information (the 'Authorized redirect URIs' must be fully qualifed e.g. http://airflow.example.com/oauth2callback)
@@ -338,7 +344,7 @@ log to will have permissions changed such that only the unix user can write to i
 Default Impersonation
 '''''''''''''''''''''
 To prevent tasks that don't use impersonation to be run with `sudo` privileges, you can set the
-``core:default_impersonation`` config which sets a default user impersonate if `run_as_user` is 
+``core:default_impersonation`` config which sets a default user impersonate if `run_as_user` is
 not set.
 
 .. code-block:: bash